cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Technical Takeoff
Nov 27 2023 07:00 AM - Nov 30 2023 11:30 AM (PST)
Microsoft Tech Community
Find out more
The evolution of Windows authentication
By
Matthew_Palko
Published Oct 11 2023 10:00 AM 84.1K Views
Matthew_Palko
Microsoft
‎Oct 11 2023 10:00 AM

The evolution of Windows authentication

‎Oct 11 2023 10:00 AM

As Windows evolves to meet the needs of our ever-changing world, the way we protect users must also evolve to address modern security challenges. A foundational pillar of Windows security is user authentication. We are working on strengthening user authentication by expanding the reliability and flexibility of Kerberos and reducing dependencies on NT LAN Manager (NTLM).

Kerberos has been the default Windows authentication protocol since 2000, but there are still scenarios where it can’t be used and where Windows falls back to NTLM. Our team is building new features for Windows 11, Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos, to address these cases. We are also introducing improved NTLM auditing and management functionality to give your organization more insight into your NTLM usage and better control for removing it.

Our end goal is eliminating the need to use NTLM at all to help improve the security bar of authentication for all Windows users.

The legacy of NTLM

User authentication in Windows is used to prove to a remote system that a user is who they say they are. NTLM does this by proving knowledge of a password during a challenge and response exchange without revealing the password to anyone. The way NTLM works has benefits that have made its use popular in the past:

  • NTLM doesn’t require local network connection to a Domain Controller.
  • NTLM is the only protocol supported when using local accounts.
  • NTLM works when you don’t know who the target server is.

These benefits have led to some applications and services hardcoding the use of NTLM instead of trying to use other, more modern authentication protocols like Kerberos. Kerberos provides better security guarantees and is more extensible than NTLM, which is why it is now a preferred default protocol in Windows.

Organizations can turn off NTLM, but it may cause issues with applications which hard-coded NTLM use. Disabling NTLM may also cause issues in scenarios that will not work with Kerberos. Kerberos must have access to a Domain Controller and requires specifying the target server. These requirements cannot always be met, which will cause authentication problems if NTLM is not available as a fallback. Evolving Windows authentication and reducing the usage of NTLM requires that we remove these limitations in Kerberos.

Kerberos, better than ever

For Windows 11, we are introducing two major features to Kerberos to expand when it can be used—addressing two of the biggest reasons why Kerberos falls back to NTLM today. The first, IAKerb, allows clients to authenticate with Kerberos in more diverse network topologies. The second, a local KDC for Kerberos, adds Kerberos support to local accounts.

IAKerb is a public extension to the industry standard Kerberos protocol that allows a client without line-of-sight to a Domain Controller to authenticate through a server that does have line-of-sight. This works through the Negotiate authentication extension and allows the Windows authentication stack to proxy Kerberos messages through the server on behalf of the client. IAKerb relies on the cryptographic security guarantees of Kerberos to protect the messages in transit through the server to prevent replay or relay attacks. This type of proxy is useful in firewall segmented environments or remote access scenarios.

The local KDC for Kerberos is built on top of the local machine’s Security Account Manager so remote authentication of local user accounts can be done using Kerberos. This leverages IAKerb to allow Windows to pass Kerberos messages between remote local machines without having to add support for other enterprise services like DNS, netlogon, or DCLocator. IAKerb also does not require us to open new ports on the remote machine to accept Kerberos messages.

Authentication through the local KDC uses AES out of the box improving the security of local authentication.

In addition to expanding Kerberos scenario coverage, we are also fixing hard-coded instances of NTLM built into existing Windows components. We are shifting these components to use the Negotiate protocol so that Kerberos can be used instead of NTLM. By moving to Negotiate, these services will be able to take advantage of IAKerb and LocalKDC for both local and domain accounts.

All these changes will be enabled by default and will not require configuration for most scenarios. NTLM will continue to be available as a fallback to maintain existing compatibility.

Improving the management of NTLM

In addition to new Kerberos features, we are extending NTLM management controls to provide administrators with greater flexibility in how they track and block NTLM usage in their environments. There are existing event viewer logs that provide information on incoming and outgoing authentication requests that use NTLM. We are adding service information to these logs to provide more clarity on exactly which applications are using NTLM. Similarly, we are extending the control for NTLM to allow specifying granular policy at the service level. With these policies you will be able to block NTLM usage for a specific service or create service exceptions to system wide NTLM blocks.

Future disablement of NTLM

Reducing the use of NTLM will ultimately culminate in it being disabled in Windows 11. We are taking a data-driven approach and monitoring reductions in NTLM usage to determine when it will be safe to disable. In the meantime, you can use the enhanced controls we are providing to get a head start. Once disabled by default, customers will also be able to use these controls to reenable NTLM for compatibility reasons.

What should you do now?

The reduction of NTLM usage has often been a priority for customers and we have some existing resources that will aid in preparing for these changes.

  • Start cataloging your NTLM use. We recommend using existing policy and logging to understand where NTLM is used and what apps may block you from disabling NTLM. For more information see, NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7.
  • For application developers, audit code for hardcoded usage of NTLM. Look for calls to the AcquireCredentialsHandle function that are passing in the hardcoded string “ntlm” and replace with “negotiate”. Also look for calls to the RpcBindingSetAuthInfo function and replace “RPC_C_AUTHN_DEFAULT” with “RPC_C_AUTHN_GSS_NEGOTIATE”.
  • Register for our upcoming webinar, “The Evolution of Windows Authentication”, on October 24th, 2023, at 8:00 am Pacific Time. Join our product engineering team for live demos, Q&A, troubleshooting guidance, and a sneak peek at our long-term strategy for the ultimate disablement and removal of NTLM.
  • Look out for more updates about our upcoming functionality improvements to address scenarios that Kerberos doesn’t currently support.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community ,then follow us @MSWindowsITPro on X/Twitter. Looking for support? Visit Windows on Microsoft Q&A.

18 Comments
AaronMargosis_Tanium
Iron Contributor
‎Oct 11 2023 10:47 PM
‎Oct 11 2023 10:47 PM

Curious to know what that intermediate server needs to have.

Also very curious to know whether GPO can now be applied/updated on member endpoints that do not have line of sight to a DC.

bigalexp
Copper Contributor
‎Oct 12 2023 04:56 AM
‎Oct 12 2023 04:56 AM

To be clear this article is referencing NTLM 1 & 2?

Can you give details for the supported method to completely disable NTLM if we want to get ahead of game. 

Alban1998
Iron Contributor
‎Oct 12 2023 08:58 AM
‎Oct 12 2023 08:58 AM

Hello,

Interesting changes. Some questions here :

- Which Windows versions will include these changes ? I read Windows 11, what about Windows 10 ? What about Windows Server ?

- What happens during disaster recovery scenarios, when ALL domain controllers are unavailable ? Users and admins being at risk of being lock out from at least opening a cached session ? Proxying Kerberos messages won't help with that it seems.

- What about Microsoft applications potentially relying on hard-coded NTLM ? MDT, Config Manager, various admin tools, Windows Server roles etc...some of them have not been maintained for years.

 

Thanks,

hkusulja
MVP
‎Oct 12 2023 08:58 AM
‎Oct 12 2023 08:58 AM

What about OAuth2 different flows, or SAML on systems with Microsoft Entra (Azure AD) ? for on-premise use on Windows Server Active Directory and Windows domain members.
And maybe off topic, but what about SMB protocol and support of OAuth2 / SAML ? not just for Azure Storage Files, but also for local Windows Server as File Share in on-prem environment....

Paul_260
Copper Contributor
‎Oct 12 2023 09:46 AM
‎Oct 12 2023 09:46 AM

Might be a good idea to have MDI start reporting on ntlmV2 instead of just V1.

Joachim_Otahal
Brass Contributor
‎Oct 13 2023 04:43 PM
‎Oct 13 2023 04:43 PM

Please be precise whether NTLMv1 or NLTMv2.

I have a few 2012 R2 (and higher) Domaincontrollers which are to be replaced with audit logs showing more NTLMv1 (unsalted 3DES) than expected, not just the usual MFPs. Even SMB1 pops up in some cases... But if you want to kill NTLMv2 (HMAC-MD5, which still counts as secure) this is a completely different matter needing probably at least 10 years.

0 Likes
Like
Drop_Table_Users
Copper Contributor
‎Oct 14 2023 07:30 AM
‎Oct 14 2023 07:30 AM

How is Kerberos being extended to support networks without a domain controller, when there are only local accounts?

 

My understanding is that NTLM is the only option that exists for Windows:

 

- "NTLM doesn’t require local network connection to a Domain Controller."

- "NTLM is the only protocol supported when using local accounts."

- "NTLM works when you don’t know who the target server is."

 

How is Kerberos being extended to operate on a network of only client PCs?

 

"These benefits have led to some applications and services hardcoding the use of NTLM instead of trying to use other, more modern authentication protocols like Kerberos."

 

I'm happy to not hardcode "NTLM".

I hardcode "Negotiate" and let it fallback to "NTLM" when it realizes Kerberos cannot be used because there is no domain controller.

 

How will Kerberos be updated to support networks where there is no Kerberos server available? Will every PC run it's own embedded domain controller? How will you solve the problem of "non-domain joined" PCs trying to access resources on my PC? 

 

I'm happy to stop using NTLM, you just need to replace it with something.

ioplex
Copper Contributor
‎Oct 15 2023 11:40 AM
‎Oct 15 2023 11:40 AM

Will IAKerb be able to authenticate domain accounts? Or will it only be used to authenticate local SAM accounts using the "LocalKDC" and not proxy requests to a KDC as specified by draft-ietf-kitten-iakerb-03?

 

NTLM is used today because it's virtually guaranteed to succeed where Kerberos can fail due to deps.
And because it's trivial setup and use by comparison. Taking that away without replacing it with something that can authenticate AD DS accounts could be difficult for folks in environments that are not optimized for kerberos-only.

 

If Windows clients could properly interoperate with an IAKerb implementation that can actually proxy to DCs by using FAST armor, etc, that could help a lot.

0 Likes
Like
xtian2210
Copper Contributor
‎Oct 15 2023 11:41 AM
‎Oct 15 2023 11:41 AM

> Considering this comment "Kerberos has been the default Windows authentication protocol since 2000, but there are still scenarios where it can’t be used and where Windows falls back to NTLM" which is one of the significant distinctions between NTLM and Kerberos

 

The extensions to the Kerberos protocol and the GSS-API Kerberos mechanism will enable a GSS-API Kerberos client to exchange messages with the KDC by using the GSS-API acceptor as a proxy, encapsulating the Kerberos messages inside GSS-API tokens. With these extensions, a client can obtain Kerberos tickets for services where the KDC is not accessible to the client, but is accessible to the application server.

 

0 Likes
Like
joshudson
Copper Contributor
‎Oct 16 2023 07:19 AM
‎Oct 16 2023 07:19 AM

I enumerated the definite and possible uses of NTLM Auth on our network. These won't show up on your data-driven approach (mostly) unless you push the data collector out to older windows versions.

 

1) We depend on the fact that two local accounts with the same username and password authenticate as the same account across workstations on the domain. This was done on purpose to reduce attack surface area by eliminating domain accounts with non-expiring passwords as much as possible. Creating the local accounts where they're needed is a reduced-privilege model.

 

2) When connecting between machines with RDP we depend on .\username resolving on the remote machine without knowing its name. The saved username by RDP says it's the local machine name but somehow it works. Should be fixable on your side because the remote hostname is passed back to RDP. The production servers are *not* domain joined. This isn't a mistake, and won't be changed. (They're more hardened than the domain controller.)

 

3) There's a highly isolated XP box in manufacturing (because the drivers for the hardware it controls) that remains network joined solely so it can talk to the network printer. Network disks don't work anymore due to no SMB protocol version in common, and this isn't a problem. It's possible its domain binding has fallen back to NTLM long ago due to no TLS version in common with the domain controller.

spurrw
Copper Contributor
‎Oct 17 2023 06:39 AM
‎Oct 17 2023 06:39 AM

Thank you guys for working on these features! This is awesome. As someone who has rid a large environment of NTLM almost completely, I am sure these improvements would have all helped. More specific logging with service name information will be a big help. KDC proxies for the DCs will be fantastic. The notes for developers and forthcoming patch-changes will hopefully push vendors to get their software off of NTLM dependence. Vendors are the biggest hold-up to NTLM disablement.

dnsinit
Copper Contributor
‎Oct 23 2023 02:52 AM
‎Oct 23 2023 02:52 AM

These are awesome features I'm looking forward to.

 

Any ideas on how to solve the issue with MS-CHAPv2 relying on NTLM or are you continuing down the route of asking customers to use more modern methods like EAP-TLS for 802.1x? Honestly at this point I don't think printer vendors will ever sort their sh*t out, so it would be awesome if you could put some magic duct tape on their products (although I understand it's really not your issue to begin with).

0 Likes
Like
Alban1998
Iron Contributor
‎Oct 27 2023 12:56 AM
‎Oct 27 2023 12:56 AM

@dnsinit Hello, MS6CHAPv2 being a decades-old protocol with tons of vulnerabilities, it wouldn't make sense to duct-tape it when EAP-TLS exists imho.

0 Likes
Like
dnsinit
Copper Contributor
‎Nov 01 2023 06:48 AM
‎Nov 01 2023 06:48 AM

@Alban1998 totally buying that, reality is printer vendors don't enjoy developing software as much as they love selling hardware. I'm not saying it has to be duct-tape on MSCHAPv2 either but rather some way of authenticating stupid devices (unlesss MSCHAPv3 is actually coming? :'D).

 

@Matthew_Palko would love some more auditing on NTLM usage that's not in NTLM authentication aswell (because non-NTLM authentication methods using NTLM hashes don't get audited but definitely breaks when disabling NTLM :-)).

0 Likes
Like
Joachim_Otahal
Brass Contributor
‎Nov 02 2023 07:55 AM
‎Nov 02 2023 07:55 AM

@dnsinit 

Check my NTLM / SMB1 logging / auditing script at https://github.com/Joachim-Otahal/PowerShell .

Maybe you can extend it? I too have an issue where a firewall-VPN-auth uses NTLMv1 in the end, but via Radius as you describe, and does not appear in the security event log (directly). Maybe, when the next customer needs it, I'll extend the script to capture the MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 events in question too.

Requires at least Server 2012 (tested up to Server 2022) with all updates. Only tested with powershell 5.1 (PS-ISE in single step mode works fine too) though. Despite its name it extracts either all NTLM not only NTLMv1 depending on your choice. The script is, from my point of view, transparent in its function.

0 Likes
Like
Alban1998
Iron Contributor
‎Nov 09 2023 07:15 AM
‎Nov 09 2023 07:15 AM

@dnsinit We had the same exact issue with SMBv1, and printers happily running on it by default until very recently. I'm not sure Microsoft has a say in it, and even wants to spend engineering resources on it. In the end, we had to endure it until hardware manufacturers sorted their s*** out...

0 Likes
Like
Rick Glorie
Copper Contributor
‎Nov 22 2023 03:39 PM
‎Nov 22 2023 03:39 PM

Please be more exact about dates, MS products affected, graces periods and opt out options. There are shops out there with a big mix in their landscape from modern cloud solutions down to old boxes doing on prem magic. A list of Microsoft products using NTLM in a certain way might help identifying  NTLM hold outs. NTLM can generated a metric ton of events per action, RIP eventviewer.

0 Likes
Like
dz890
Copper Contributor
‎Nov 22 2023 06:21 PM
‎Nov 22 2023 06:21 PM

What about Remote Desktop Gateway!?!?  Or RDS on the local network!?!  Neither of those will work without NTLM.

 

You guys need to spend YEARS testing this and making sure everything will continue to work. 

Version history
Last update:
‎Nov 11 2023 01:30 AM
Updated by:
Labels