Several months ago we received news that Microsoft Will Remove NTLM Authentication in Windows 11and while NTLM authentication can still be used by business and enterprise users, built-in apps and services have reportedly encountered issues, which is why Microsoft has added two new authentication features to Kerberos.

So regarding this, Microsoft has recently updated it page deprecated feature from Windows OS, where NTLM or New Technology Lan Manager has been added there.

This NTLM retirement includes all versions of NTLM including LANMAN, NTLMv1 and NTLMv2, but in addition Microsoft also added that they will continue to work on “the next release of Windows Server and the next annual release of Windows” which means NTLM authentication will work in the 2024 Update for Windows 11, version 24H2.

All versions of NTLM, including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. The use of NTLM will continue to work in subsequent releases of Windows Server and subsequent annual releases of Windows.

Calls to NTLM should be replaced with calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary.

Reasons Why Retired?

According to explanation Microsoft, the reason behind this move is to improve authentication security as more modern protocols like Kerberos are better in that regard. Microsoft has now also recommended using the Negotiate protocol so it will only fall back to NTLM when Kerberos is not available.

In many cases, applications should be able to replace NTLM with Negotiate using a one-line change in their AcquireCredentialsHandle request to the SSPI. One known exception is for applications that have made hard assumptions about the maximum number of round trips needed to complete authentication. In most cases, Negotiate will add at least one additional round trip. Some scenarios may require additional configuration.

And in fact, NTLM itself has been available since 1993 which is certainly quite outdated when compared to the more modern Kerberos which was introduced in Windows 2000 Service Pack 4 (SP4).

Via: Microsoft

Source link


Please enter your comment!
Please enter your name here