Microsoft has deprecated NTLM authentication on Windows and Windows servers, urging developers to transition to Kerberos or Negotiation authentication for enhanced security. NTLM, introduced in 1993, is no longer under active development and will be phased out due to increased vulnerabilities and risks. Despite new measures introduced by Microsoft, such as SMB security signing, attacks on NTLM authentication persist, prompting the need for a transition to more secure alternatives.
This move isn’t surprising, as Microsoft first announced its intention to kill off the aging authentication protocol in October 2023, urging admins to move to Kerberos and other contemporary authentication systems, like Negotiate. NTLM has been extensively abused in cyberattacks known as ‘NTLM Relay’ attacks, where Windows domain controllers are taken over by forcing them to authenticate against malicious servers.
Apart from the weaker encryption used in NTLM, compared to more modern protocols like Kerberos, the protocol’s performance is subpar, requiring more network round trips, and does not support single sign-on (SSO) technologies. NTLM will still work in the next release of Windows Server and the next annual release of Windows. Still, users and application developers should transition to ‘Negotiate,’ which attempts to authenticate with Kerberos first and falls back to NTLM only when necessary.
Microsoft recommends that system administrators utilize auditing tools to understand how NTLM is being used within their environment and identify all instances that need to be considered in formulating a transition plan. For most applications, replacing NTLM with Negotiate can be achieved by a one-line change in the ‘AcquireCredentialsHandle’ request to the Security Support Provider Interface (SSPI). However, there are exceptions where more extensive changes might be required. Negotiate has a built-in fallback to NTLM to mitigate compatibility issues during the transition period. Administrators stuck with authentication problems can check out Microsoft’s Kerberos troubleshooting guide.
