How do I restrict NTLM settings?

Should you disable NTLM authentication?

NTLM or Kerberos authentication.

The choice is yours. I prefer Kerberos because it's more secure, but NTLM seems to work for me, as long as the user is authenticated against a Kerberos server. I've seen many posts here that suggest disabling NTLM as a workaround in case the application uses a legacy web service. This doesn't make sense to me. The same goes for some people saying "well, your browser will never connect to a server when you use NTLM." To which I respond: the application must be configured to use NTLM authentication.

Why is NTLM authentication still used in 2012? The problem is that it works, and most applications don't have a problem when using NTLM authentication. You can find a lot of posts saying that it doesn't work, but it works. So even though NTLM is not recommended by Microsoft anymore, it continues to work for many apps and people out there. It works well with IE11. But how to fix it?

The best way I found to fix this problem is to create an NTLM-only site for your website. If you need it on all computers (laptop, workstation, mobile devices), use a Windows domain controller. The advantage of using a Windows domain controller is that the users have a local profile on their workstation, and NTLM will work. On a Mac or Linux machine, you'll have to use a third-party NTLM authentication library like .

As a first step, set the application server to use NTLM authentication and then add your users to the local profile. That's it. If they have different user accounts on the domain controller, then you will have to manually update the other users' workstation profile. That's not a problem, but keep in mind that you won't be able to use Kerberos authentication for the local user on the web server. You'll have to switch it off.

Is this only a problem for Java-based apps? Many people have reported having problems with third-party web services using NTLM, but my tests show that most, if not all, apps (including Java apps) are affected.

How do I restrict NTLM settings?

In short, I'd like to prevent NTLM authentication from working.

This must be possible for a number of reasons; some users will be using the server remotely and connecting through VPNs. Other users will be trying to connect through a proxy server, which would also cause them to run into this problem.

I cannot block the particular services they're connecting to because the authentication is required for the remote users to even connect in the first place. Is there a way to configure the NTLM authentication to fail? I do not want to prevent users from trying to connect at all. I just want to prevent the use of NTLM on this server. If it were a matter of removing the NTLM settings from the client profile, that would not prevent the user from still trying to connect via other means, and I wouldn't be able to block the attempt.

Here's what I ended up doing. I wrote a bash script to modify the hostname and machine name stored in the HKLMSoftwarePoliciesMicrosoftWindows NTTerminal ServerHostName key. The script looks like this: unset HKEYLOCALMACHINESoftwarePoliciesMicrosoftWindows NTTerminal ServerHostName. write-host "Previous hostname value deleted.

Should I restrict NTLM?

We are evaluating the security of a web application which will be deployed in an Active Directory environment.

The server is running IIS7 and has Windows Authentication enabled for the Web app. The application runs ASP.NET 3.5 MVC with user identity based on Active Directory. We have been getting complaints from our customers that their logins to the web app are taking too long. One customer is on a very slow connection and is experiencing this issue. We do not believe that the NTLM protocol is an issue, as the web app logs out the user after a certain amount of time if the user is inactive. The only other suggestion that we have found is that the web app is logging in over NTLM and using NTLM to get a ticket to the application. We are unable to figure out how this would be possible.

Is there any way to restrict the authentication type used by the web app so that it uses NTLM over plaintext HTTP? Note: this post has been moved to the forum as it was discussed on there before I got this topic reopened. 4 Answers.
I don't think that you can restrict the authentication type. The server will always use NTLM for the authentication.

The problem could be that there is something wrong with the network or firewall configuration. It could also be that the web server is performing some sort of "hijacking" of the authentication. For example, the web server could be redirecting the user's browser to another site, causing the authentication to fail, then redirecting the user back to the site. The user would never actually be redirected back to the site. If that is happening, then the web server is intercepting the authentication request and failing it, or passing it to the client (browser). You can test this by turning off Windows Authentication and see if the problem still exists.

How are you logging in to the site? I'm guessing that you are using Windows authentication. So what I am doing is that I am using windows authentication for the site. I set the site to accept http and not https, so it's only https on the active directory side of the site. Then the users are using the native windows authentication for the site. The user is not authenticated via AD.

Steve KDec 12 '12 at 4:50. @SteveK I see your point.