Overview
When users authenticate with NTLM on DC, the users are not being logged in automatically unless they open a browser page. The authorization problem appears on a first PC startup. The users have manual Proxy specified in Windows settings.
Debug logs with "User authentication" show the following output:
{auth} 10.2.X.X client wants to use Negotiate for Proxy server authorization
{auth} NTLM: unexpected response from NTLM server.(NA NT_STATUS_INVALID_PARAMETER)
Security log displays:
Authentication: HTTP Proxy: Client: 10.2.X.X: Unsuccessful authentication, user not found
This article provides details on possible root causes for this issue.
Information
When the proxy server is configured to use a Kerio Control non-transparent proxy, the automatic configuration of browsers may take several hours.
For the testing purpose, the automatic user logout duration was configured to timeout after 1 minute of inactivity, along with "Always require users to be authenticated" and "Enable automatic authentication using NTLM" options.
The user is successfully logged out after 1 minute of inactivity, but once the browser is opened, the Authentication Type in the active hosts menu is shown as NTLM.
After booting up the PC again, the user is auto-reauthenticated via Proxy auth type.
The NTLM and proxy errors are generated because of connection issues between AD and the client's PC (invalid parameters sent). It's advisable to unjoin, then rejoin Kerio Control to AD.
Also, there is an MS discussion about Proxy settings being changed automatically in Windows 10. You can check a 3rd-party article to fix this issue using Group Policies' modification.
If this doesn't fix the issue, then, it's advisable to check the logs on the NTLM server for any clues, since the NT_STATUS_INVALID_PARAMETER error is from the NTLM server.
Furthermore, if the logs don't provide much information, then, the methods listed on the article User is Being Prompted for Credentials While Using NTLM can also be performed for fixing the same.