How to setup Symantec Management Platform environment to use Kerberos authentication if NTLM is disabled


Article ID: 223575


Updated On:


IT Management Suite



Our security team wants to disable NTLM authentication on our Active Directory domain. I can see that the Altiris Agent (Symantec Management Agent (SMA)) connectivity credentials account is using NTLM. How do I get the agent to use Kerberos?


ITMS 8.1 RU2 and later


We've tested and fixed SMA to use Kerberos if it is configured correctly. SMA uses not "NTML" but "Negotiate" security provider in Windows and the provider itself selects whether to use Kerberos or NTLM. If Kerberos is configured when "Negotiate", the security provider will use it. The important option "authPersistNonNTLM" should be set to True; otherwise, there will be HTTP authentication errors. 

In the attached document are steps needed to be done to disable NTLM and make Kerberos communication works based on a default environment installation.

Note: The following steps (see attached "ITMS 8.5 RU2-How to setup environment to use Kerberos authentication.pdf") are provided "AS-IS" since this is outside of our regular Support or testing procedures.


1631218304845__ITMS 8.5 RU2-How to setup environment to use Kerberos authentication.pdf get_app