I may finally be out of my depth. (Clients are not on the domain) . Clients = windows 10; servers 2016
My network has its own DNS, and the FQDN of the servers are not within public DNS. remote clients use a public FQDN that matches the IP of the serves. Internal everything is <server>.private.net. outside it is <server>.<company name>.com (the servers are clueless about their public fqdn).
Here is the thing. NLA on and NTLM off. Clients can RDP into the domain controllers! Obviously there are certificate errors, but let's live with that for the moment. However all member servers get is a "this function request is not supported" "this could be due to credssp encryption oracle remediation". ALL SERVERS ARE FULLY PATCHED,
Lets not forget that... remote clients can connect to the domain controllers.
Obviously users are not connecting to the domain controllers, its just me with a user account
We do have a RDP gateway (but I am testing without it to narrow down the problem),