Microsoft has officially deprecated NTLM authentication on Windows and Windows servers, stating that developers should transition to Kerberos or Negotiation authentication to prevent problems in the future.
New Technology LAN Manager, better known as NTLM, is an authentication protocol first released in 1993 as part of Windows NT 3.1 and as the successor to the LAN Manager (LM) protocol.
Microsoft says the NTLM protocols, which are still widely used today, are no longer under active development as of June and will be phased out in favor of more secure alternatives.
This move isn’t surprising, as Microsoft first announced its intention to kill off the aging authentication protocol in October 2023, urging admins to move to Kerberos and other contemporary authentication systems, like Negotiate.
NTLM has been extensively abused in cyberattacks known as ‘NTLM Relay’ attacks, where Windows domain controllers are taken over by forcing them to authenticate against malicious servers.
Despite Microsoft introducing new measures to defend against those attacks, like SMB security signing, attacks on NTLM authentication continue.
For example, password hashes can still be snatched and used in “pass-the-hash” attacks, obtained in phishing attacks, or extracted directly from stolen Active Directory databases or a server’s memory. The attackers can then crack the hashes to get a user’s plaintext password.
Apart from the weaker encryption used in NTLM, compared to more modern protocols like Kerberos, the protocol’s performance is subpar, requiring more network round trips, and does not support single sign-on (SSO) technologies.
All that said, NTLM is considered severely outdated by 2024 security and authentication standards, so Microsoft is deprecating it.
NTLM phase-out process
NTLM will still work in the next release of Windows Server and the next annual release of Windows. Still, users and application developers should transition to ‘Negotiate,’ which attempts to authenticate with Kerberos first and falls back to NTLM only when necessary.
Microsoft recommends that system administrators utilize auditing tools to understand how NTLM is being used within their environment and identify all instances that need to be considered in formulating a transition plan.
For most applications, replacing NTLM with Negotiate can be achieved by a one-line change in the ‘AcquireCredentialsHandle’ request to the Security Support Provider Interface (SSPI). However, there are exceptions where more extensive changes might be required.
Negotiate has a built-in fallback to NTLM to mitigate compatibility issues during the transition period.
Administrators stuck with authentication problems can check out Microsoft’s Kerberos troubleshooting guide.
