Safe to disable NTLMv2 Authentication for Storefront servers?

[Matthias Heszlig]

Hi all,

 

a customer did a security audit in which one result was that their Storefront servers use NTLM authentication. The customer wants to disable NTLM in his domain entirely.

 

Unfortunately, I could not find any documentation on this issue, so I checked my lab (Virtual Apps and Desktops 2203 LTSR CU2) where I could find the same NTLM authentication events. To see what happens, I set the domain controllers policy to deny all NTLM authentication requests. Now storefront is still working fine and the events are gone. Does anybody know if there is a official documentation that NTLM can be disabled for Storefront servers?

[Jonathan Adams1709163648]

StoreFront does require NTLM for syncing subscriptions and credentials between StoreFront servers in a server group.

[George Perkins1709160940]

@Jonathan Adams1709163648Can you please provide a citation in the Citrix documentation where it is shown that NTLM is a requirement?  Kerberos has been available over 10 years with statements of direction from Microsoft to do new development to eliminate NTLM. 

 NTLM is no longer secure.  I agree with @Matthias who posted the question it is a requirement to disable NTLM in our domain. I'd like to configure Citrix to allow that. How?