We need a solution that supports NTLM Authentication. Currently we are using WAF V1 but this goes end of life in 2026. Any alternatives?

Question

We need a solution that supports NTLM Authentication. Currently we are using WAF V1 but this goes end of life in 2026. Any alternatives?

Andrew1 SIMPSON 5

2 answers

Your answer

Answer 1

While WAF V1 supports NTLM authentication, it's reaching its end of life in 2026. Here are your options:

Migrate to Modern Authentication: This is the recommended approach. Modern protocols like OAuth and OpenID Connect are more secure than NTLM. They offer features like single sign-on and are not susceptible to relay attacks like NTLM. Microsoft recommends migrating to these protocols (Microsoft Azure Product Group).

Consider Alternative WAF Solutions: Explore WAF solutions that support NTLM authentication. However, be aware that NTLM itself is an older protocol with security limitations.

Here are some additional points to consider:

Migrating to modern authentication might require changes to your application.

Continued reliance on NTLM might expose you to security vulnerabilities.

Answer 2

GitaraniSharma-MSFT 50,197 Microsoft Employee Moderator

Hello @Andrew1 SIMPSON ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you are using Azure Application gateway WAF V1 with NTLM authentication, but this will be retired in 2026 and you would like to know if there are any alternatives for this.

Application Gateway v2 doesn't support proxying requests with NTLM or Kerberos authentication.

Refer: https://learn.microsoft.com/en-us/azure/application-gateway/application-gateway-faq#does-application-gateway-v2-support-proxying-requests-with-ntlm-or-kerberos-authentication

And as per Application Gateway Product Group team, this feature is not in our roadmap for V2.

Refer: https://feedback.azure.com/d365community/idea/52e82d52-f925-ec11-b6e6-000d3a4f06a4#comments

If it helps you can also go through this blog post on how the windows team is reducing dependencies on NTLM.

The Azure Front Door Service is also not validated to work alongside NTLM authentication, and I checked internally to find that customers have run into issues while using Azure Front Door Service with NTLM auth.

The recommendation that we received from the Azure Product Group team is to move to modern authentication protocols such as OAuth and OpenID Connect to address these issues.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Andrew1 SIMPSON 5 Reputation points

2024-06-25T12:44:43.66+00:00

Many thanks for your fast response. We are using Azure to host a set of Exchange 2019 Servers to handle our Exchange Hybrid requirements and the Mailbox migration to Exchange Online.

For a mailbox move from On-Premise to EXO we are using the standard MRS Proxy which requires NTLM authentication. Can you check if Exchange Product Group are going to also be moving away from NTLM for Mailbox Migrations to Exchange Online?

Any assistance would be greatly appreciated.
GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator

2024-06-25T13:47:31.85+00:00

Hello @Andrew1 SIMPSON ,

I need to check internally to see if I can find a contact for the Exchange Product Group. If I can, I will try to get a confirmation on your query. If not, it would be best if you could open a new thread with Exchange tags, so the respective team can provide proper guidance.

But doing a quick search, I found the below:

https://learn.microsoft.com/en-us/exchange/hybrid-deployment/block-legacy-auth-2019-hybrid

https://techcommunity.microsoft.com/t5/exchange-team-blog/disabling-legacy-authentication-in-exchange-server-2019/ba-p/712048

https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/authentication-and-ews-in-exchange

Also, Microsoft recently (June 2024) announced that NTLM is now under the deprecated features list in Windows.

All versions of NTLM, including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated.

Refer: https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features#deprecated-features

https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features-resources

So, the recommendation to move to modern authentication protocols such as OAuth and OpenID Connect still stands valid.

Regards,

Gita
GitaraniSharma-MSFT 50,197 Reputation points Microsoft Employee Moderator

2024-06-27T11:52:08+00:00

Hello @Andrew1 SIMPSON ,

I checked with the Exchange Product Group team and below is their response:

Exchange will continue to support the NTLM for the mailbox migration, there is plan to provide OAuth in the future.

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

We need a solution that supports NTLM Authentication. Currently we are using WAF V1 but this goes end of life in 2026. Any alternatives?

2 answers

Your answer