Microsoft officially deprecates NTLM and promotes Kerberos authentication

Microsoft building

Several months after announcing its intention to do so, Microsoft has official deprecated the NTLM (NT LAN Manager) authentication protocol in Windows and Windows Server.

NTLM is now a very old protocol which has been superseded by the more secure and feature-rich Kerberos. It will still be possible to use NTLM until the next release of Windows and Windows Server, but Microsoft is keen for users to take action now.

See also:

Aware that the change will require a degree of preparation for many people, Microsoft has not only provided fair warning for those still reliant on the aged protocol, but also provided advice about how to proceed.

On the page used to advise about deprecated features, the company says:

All versions of NTLM, including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary.

Microsoft has also provided information about just how to migrate away from NTLM. The company shares the following details:

Customers concerned about NTLM usage in their environments are encouraged to utilize NTLM auditing to investigate how NTLM is being used.

In many cases, applications should be able to replace NTLM with Negotiate using a one-line change in their AcquireCredentialsHandle request to the SSPI. One known exception is for applications that have made hard assumptions about the maximum number of round trips needed to complete authentication. In most cases, Negotiate will add at least one additional round trip. Some scenarios may require additional configuration.

There is further helpful information in a blog post from last year.

Image credit: Waingro /

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.