Key Takeaways:
- Microsoft has deprecated the NT LAN Manager (NTLM) user authentication protocol in Windows and Windows Server.
- This change intends to encourage the adoption of the more secure Kerberos protocol.
- Microsoft recommends using the Negotiate protocol as a fallback mechanism, allowing seamless interoperability between NTLM and Kerberos.
Last year, Microsoft detailed plans to phase out NT LAN Manager (NTLM) user authentication to promote the adoption of the more robust Kerberos protocol. Now, the company has taken a definitive step by officially deprecating NTLM authentication in both Windows and Windows Server environments.
NTLM is an authentication protocol that enables a client to connect to a server with a username and password. It’s a part of the Windows security architecture and uses a challenge/response mechanism for authentication. The server initiates negotiation, prompting the client to respond with an authentication message, encrypted with the hash of the user’s password.
Microsoft replaced NTLM with Kerberos as the default authentication mechanism protocol in Windows 2000 and subsequent Active Directory domains, primarily due to Kerberos offering enhanced cryptography and server authentication. However, NTLM is widely used in certain scenarios, mainly for backward compatibility with legacy systems.
Nevertheless, NTLM poses security vulnerabilities, including susceptibility to man-in-the-middle, relay, and pass-the-hash attacks. Moreover, NTLM lacks support for modern authentication methods like biometrics, multifactor authentication, and FIDO keys. Microsoft advises organizations to switch to modern authentication mechanisms to bolster security against cyber threats.
According to Microsoft, NTLM will continue to work on Windows 11 version 24H2 and Windows Server 2025. The company suggests customers should use the Negotiate protocol, which serves as a fallback mechanism to NTLM when Kerberos isn’t accessible. This protocol is useful in environments where both NTLM and Kerberos protocols are used, facilitating seamless interoperability across various systems and their authentication methods.
“All versions of NTLM, including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary,” Microsoft explained.
Guidance for administrators on transitioning from NTLM to Kerberos
Microsoft urges administrators to identify where NTLM is being used within their organizations. They can use NTLM auditing tools to find all instances that need consideration when creating a transition plan. Typically, system admins will need to make a minor change in the ‘AcquireCredentialsHandle‘ request to the Security Support Provider Interface (SSPI).
Microsoft notes that organizations can utilize the built-in fallback mechanism of the Negotiate protocol to address compatibility issues during the transition period. For more details on handling authentication issues, we invite you to check out this Kerberos troubleshooting guide.