Is it possible to prevent UiPath Orchestrator from using NTLM as a Windows authentication package?

Microsoft NTLM, also known as the Windows Challenge/Response, is an authentication protocol available to systems running Windows OS.

UiPath Orchestrator utilizes NTLM when users log into the Orchestrator management portal through Windows Authentication. By default, Windows Authentication in Microsoft IIS leverages the Negotiate package, in which clients and the web server "negotiate" which authentication package to use: Kerberos or NTLM. If Kerberos cannot be used, the Orchestrator website will fall back on NTLM.

To prevent this behavior, ensure that Kerberos authentication is properly configured and that IIS is configured to only support the Negotiate:Kerberos authentication package. The following steps outline this procedure:

1. Perform the steps in Configuring the Active Directory Integration. This lays the groundwork for Kerberos authentication (i.e. establishing an appropriate application pool identity and registering the corresponding Service Principle Names (SPNs))
2. In IIS, navigate to UiPath Orchestrator > Authentication > Windows Authentication > Providers
3. Remove the Negotiate and NTLM providers and add Negotiate:Kerberos
4. Perform an IIS reset.

To confirm that NTLM is disabled, monitor the Windows Event Viewer Security logs for events with Event ID: 4624 and verify that the Authentication Package value reads Kerberos.