Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.

What does this error actually mean and how do I prevent it?

Log Name:      System
Source:        LsaSrv
Date:          21/08/2019 13:11:00
Event ID:      6038
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      %computername%.domain.local
Description:
Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.

NTLM is a weaker authentication mechanism. Please check:

      Which applications are using NTLM authentication?
      Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
      If NTLM must be supported, is Extended Protection configured?

Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="LsaSrv" Guid="{199fe037-2b82-40a9-82ac-e1d46c792b99}" EventSourceName="LsaSrv" />
    <EventID Qualifiers="0">6038</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2019-08-21T12:11:00.902533900Z" />
    <EventRecordID>1537466</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>System</Channel>
    <Computer>%computername%.domain.local.net</Computer>
    <Security />
  </System>
  <EventData>
  </EventData>
</Event>

You can avoid this event and it’s implications by restricting NTLM using group policy. You may have an older application, such as an older access database etc. that uses NTLM in which case you need to upgrade to a newer version.

The easiest solution is to raise the domain functional level to 2012 R2 or greater if you do not need NTLM anymore. This will deprecate NTLM being used by clients to communicate with AD Domain Controllers which should clear your event log error.

Open Active Directory Domains and Trusts:



MAKE DOUBLY SURE YOU NO LONGER NEED NTLM BEFORE UPGRADING !!!

Right click as above and raise the forest level to 2012 R2 or later, the domain will be upgraded as appropriate.

In the Domain Controller event log you will see:


Event ID: 2040
The functional level of this forest has been updated.
New forest functional level:6

Event ID: 1968
Active Directory Domain Services has raised the domain functional level for this domain to be compatible with the current forest functional level.

domain:
DC=domain,DC=local
Current forest functional level: 6
Previous domain functional level:4
Current domain functional level: 6

Level 6 indicates 2012 R2 in this case.

You can check this by trying to raise the domain functional level farther:



MS have written an article about securing NTLM http://technet.microsoft.com/en-us/library/jj865674(v=ws.10).aspx