Microsoft officially deprecates NTLM, but you can still use it

Microsoft will officially deprecate NTLM (New Technology Lan Manager), a core part of Windows authentication since the ’90s after the company teased it last month.

Microsoft’s decision to stop developing all NTLM versions—LANMAN, NTLMv1, and NTLMv2—shows an important shift toward newer, safer authentication methods.

All versions of NTLM, including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary.

Microsoft

The tech giant is promoting the Negotiate protocol, which encourages users to use more secure Kerberos authentication first and only turn to NTLM when needed. This change comes from Microsoft’s general push for improved security throughout its systems.

For us, who have been playing in this field for some time now, Microsoft NTLM’s retirement may seem like an era coming to a close. Nevertheless, it is time for this change because cybersecurity threats are changing rapidly.

Now, perhaps you are thinking, “Why this quick alteration?” It is not quite quick. Microsoft has been showing signs of this change for some time to direct users towards safer authentication procedures such as Kerberos.

Since its introduction in Windows 2000 Service Pack 4, this method has been preferred. In today’s digital era, where data breaches and cyber-attacks are frequent, the strength of security and authentication mechanisms is important. Kerberos has a reputation for providing stronger protection in these areas.

It is a signal for the developers and IT admins to get ready. The applications that now depend on NTLM for verification will require modification.

Microsoft proposes that, in numerous instances, changing to Negotiate by modifying one line in the AcquireCredentialsHandle request might solve this issue. However, if hardcoded to anticipate a particular count of authentication round trips, certain applications may encounter difficulties.

For those who’ve grown a little sentimental about Microsoft NTLM’s lengthy service, let us recall that it first appeared in Windows NT 3.1 in 1993. While it has served well for many years, shifting towards newer protocols is essential to match changing security requirements.

Even though it’s also quite “old” regarding tech age, Kerberos provides a stronger and more secure structure for present necessities.

This implies adjusting to the changes and accepting the new protocols for users and developers. Change might be scary at times, but it is surely a good change in this situation.