Hello MS Directory Services team,
I would like to gather some sort of MS officially information [KB/post] and/or response to this thread, whether NTLM authentication is not supported and has been deprecated in Windows 2016.
My client who runs a Microsoft shop[Exchange/Windows servers, Windows 10/7 PC, Office 2013/2016] is also running some legacy applications that still relies on NTLM for authentication instead of Kerberos. so, what would be the right approach given the support MS matrix?
My client is going to migrate their farm of Windows 2008 DCs to 2016, and this is something that needs to be addressed before this implementation, otherwise legacy applications that rely on NTLM will fail.
Can you please confirm that if we upgrade our DCs to Server 2016 and change the Forest and Domain Functional Levels our 3rd party applications/web sites/Microsoft Applications that rely on NTLM rather than Kerberos will still function?
Please, see below copy paste from old partner site with a similar question. It would be highly appreciated if you can provide as much information as you can with KB/urls that fully supports your answer.
Hi
We are migrating active directory from its current 2003 OS and 2003 domain/forest functional level to Windows 2012 R2 OS and 2012 R2 Domain and forest functional level and have some concerns about both Microsoft and 3rd party applications. Regrettably, Microsoft has provided some conflicting documentation about authentication, specifically NTLM so please can you clarify:
Primarily we have been using this resource as our plan of action
This document tells us that for the NTLM aspects:
- Database – database configurations using NTLM will need to change authentication methodologies.
- IIS or apache – websites using NTLM will need to change authentication methodologies.
- Authentication in some applications may be using NTLM for authentication,NTLM is no longer supported in 2012 R2 for authentication, Kerberos is used. If applications are still using NTLM they will need to be updated or upgraded to meet this requirement.
However, If we refer to this documentation:
https://docs.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview
it only tells us that Kerberos if the preferred authentication protocol for domains and doesn't say that we cannot fall back onto NTLM if that is in use. It also says that it is still supported and that there have been no changes or deprecation of NTLM in server 2012 R2:
- NTLM authentication is still supported and must be used for Windows authentication with systems configured as a member of a workgroup. NTLM authentication is also used for local logon authentication on non-domain controllers. Kerberos version 5 authentication is the preferred authentication method for Active Directory environments, but a non-Microsoft or Microsoft application might still use NTLM.
- There are no changes in functionality for NTLM for Windows Server 2012 .
- There is no removed or deprecated functionality for NTLM for Windows Server 2012 .
Can you please confirm that if we upgrade our DCs to Server 2012 R2 and change the Forest and Domain Functional Levels our 3rd party applications/web sites/Microsoft Applications that rely on NTLM rather than Kerberos will still function?
In addition, are you able to steer me to documentation that summarizes other functional changes/deprecation that may affect applications e.g. ciphers or authentication algorithms that may have been removed?
From your description, I know you have some questions about authentication on Windows server 2003 AD and Windows server 2012 R2 AD. If there’s any misunderstanding, please let us know.
For your convenience, I have listed my answers to your question as below:
Q1: Can you please confirm that if we upgrade our DCs to Server 2012 R2 and change the Forest and Domain Functional Levels our 3rd party applications/web sites/Microsoft Applications that rely on NTLM rather than Kerberos will still function?
A1:Based on my research, Protected Users authenticating to a Windows Server 2012 R2 domain can no longer authenticate with NTLM authentication. Please make sure if our application will use Protected users. If yes, it will be affected. If not, I think it will be OK. We can see more details in the following link:
Forest and Domain Functional Levels
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels
In addition, to double confirm if the third party application will be affected, we suggest to build a test environment and do the test firstly.
Q2: are you able to steer me to documentation that summarizes other functional changes/deprecation that may affect applications e.g. ciphers or authentication algorithms that may have been removed?
A2: Based as my research, I find changing the Domain or Forest Functional Level should have no impact on an application that depends on Active Directory. For any third party applications, we should contact the vendor to find out if they tested the product at the proposed Level, and if so, with what result.
For the changes for Windows server 2012 R2, I have found the following articles, we can read them as reference:
Changes in the Security Guidance for Windows 8.1, Server 2012 R2 and IE11 since the beta
Hope the above information can help. If there’s any question or concern, feel free to contact us.