Blog Post

Ask the Directory Services Team
8 MIN READ

Consolidating Windows Active Directory Domain Controller Certificates

BrentCrummey's avatar
BrentCrummey
Icon for Microsoft rankMicrosoft
Jul 01, 2024
Hey, Brent here from the Windows Directory Services team! So, I wanted to share with you some interesting stuff about using one PKI (Public Key Infrastructure) certificate for your Windows Active Dir...
Updated Jul 01, 2024
Version 1.0
Savannah_Greene's avatar
Savannah_Greene
Icon for Microsoft rankMicrosoft
Jul 03, 2024

SokratisZotos 

 

Thanks for the feedback on the blog.  Honestly, I do not see NTLM being retired out of the operating system anytime soon.  The big issue is that this is the authentication method of choice when systems are NOT in a domain or for local user accounts.  Until the product groups embrace some other type of authentication method for local user authentication, I just do not see it changing.  

 

Also keep in mind that the NTLMV2 requirement is because of LSAR / SMB / SAMr calls happening remotely.  SAMR calls are mostly made for non-domain authentication methods, so it has to be able to support both domain users as well as local users.  This is going to be more than likely the cause / reason for the requirement.  It is the one authentication method we have to support both types of users / computers.

 

The authentication product team has been wanting to get rid of NTLM for a very longtime, but they just do not see anything else that they could implement that accomplishes everything that it does at this time.  Keep in mind that Kerberos requires a domain or realm (central user store) to connect to so that it can validate the users credentials.

 

It ultimately becomes an issue for any operating system that has been around for decades.  Unless you are willing to make previous OS versions totally incompatible with the latest version the longer the OS is in the market the more you get stuck.  You can see what happened when we stopped allowing RC4 encrypted sessions keys for Kerberos in the November 2022 security update.  We had so many customers telling us that their ancient 3rd party appliances do not support AES Session Keys and that their apps still running on Windows Server 2003 were now failing and taking out their business because of the update.  Keep in mind that OS had not been supported for 7 years by that point.  So you can see how we make a little change and it breaks the world.

 

But I am glad to see that Satya is now saying security above everything, but I would expect to run into a lot more of things stop working if you are not on a supported OS moving forward and we are just going to kindly ask you to upgrade the OS.
Read Satya Nadella’s Microsoft memo on putting security first - The Verge