Suggested migration from NTLM to modern auth for On Premise web apps in .NET 6

Question

We are going to be working on updating a asp.net 4.72 framework web apps and web apis next year. Currently, we are researching the changes in moving to .NET 6 to plan for the migration. One item we would like to tackle is user authentication which is currently using NTLM username/passwords from our AD servers. Is there a path for moving away from NTLM to OpenID Connect that still uses our AD servers or would we need to move all users to Azure AD? We haven't found examples/documentation for the use of Microsoft.Identity.Web on premise.

Answer

I'm by no means an NTLM expert, but I would suggest starting with https://learn.microsoft.com/en-us/azure/active-directory/external-identities/hybrid-on-premises-to-cloud. I think synchronizing your on prem AD with Azure AD through Azure AD Connect should allow you to use the AAD provider. Since you're in the exploratory phase, https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/migrate-application-authentication-to-azure-active-directory is white paper that discuss this topic that may help provide some direction.

One you start trying things and run into issues, please do feel free to post those questions on Q&A.

Answer

Hi,
You have to install Azure active directory to ensure synchronization between on prem AD and Azure active directory

Azure AD connect provides 3 mechanism to ensure the SSO (single sign on) when you have a prem AD:

ADFS : This service will redirect all authentication request to on-prem active directory. This solution is complicated to manage because you have to install a additional servers to install ADFS
Password hash synchronization: this solution ensure the passowrd synchronization between the user AD connect and the user account in azure Active directory : whatis-phs
PTA : Pass-through authentication :how-to-connect-pta