June 4, 2024 at 11:51AM
Microsoft has deprecated NTLM authentication on Windows and Windows servers, encouraging transition to Kerberos or Negotiation authentication for better security. NTLM, an aging protocol still widely used, faces abuse in cyberattacks. Microsoft suggests system administrators audit NTLM usage and transition to Negotiate, with a built-in fallback to NTLM. Detailed transition guidance is available from Microsoft.
Key Takeaways from the Meeting Notes:
1. Microsoft has officially deprecated NTLM authentication on Windows and Windows servers, encouraging developers to transition to Kerberos or Negotiation authentication for enhanced security.
2. NTLM authentication, introduced in 1993, is no longer under active development and will be phased out in favor of more secure alternatives.
3. The move to deprecate NTLM is due to its vulnerabilities, including susceptibility to cyberattacks such as ‘NTLM Relay’ attacks and weaknesses in encryption, performance, and support for single sign-on (SSO) technologies.
4. While NTLM will still work in the next release of Windows Server and the next annual release of Windows, users and application developers are advised to transition to ‘Negotiate,’ which attempts to authenticate with Kerberos first and falls back to NTLM when necessary.
5. System administrators are recommended to utilize auditing tools to understand how NTLM is being used within their environment and to identify all instances requiring consideration in formulating a transition plan.
6. The transition from NTLM to Negotiate for most applications may require a one-line change in the ‘AcquireCredentialsHandle’ request to the Security Support Provider Interface (SSPI), but exceptions may necessitate more extensive changes.
7. Negotiate has a built-in fallback to NTLM to mitigate compatibility issues during the transition period.
8. Administrators encountering authentication problems are directed to Microsoft’s Kerberos troubleshooting guide for assistance.