Policy

Disallow Kerberos authentication

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Kerberos credentials over the network. If you enable this policy setting, the WinRM service does not accept Kerberos credentials over the network. If you disable or do not configure this policy setting, the WinRM service accepts Kerberos authentication from a remote client.

Policy
Pack Microsoft Windows
Category Windows Components / Windows Remote Management (WinRM) / WinRM Service
Policy ID 0e9acd30e392
Internal name DisallowKerberos_1

Registry

Copy registry mappings

HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\AllowKerberos (enabled) = 0
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\AllowKerberos (disabled) = 1

Policy notes

This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Kerberos credentials over the network. If you enable this policy setting, the WinRM service does not accept Kerberos credentials over the network. If you disable or do not configure this policy setting, the WinRM service accepts Kerberos authentication from a remote client.

Related policies

Allow Basic authenticationAllow CredSSP authenticationAllow remote server management through WinRMAllow unencrypted trafficDisallow Negotiate authenticationDisallow WinRM from storing RunAs credentialsSpecify channel binding token hardening level