NTLM authentication

We got information that NTLM authentication is coming to the end of its life/support in a year and it would be used in our AVEVA MES solution. 

We have checked that at least AVEVA WorkTasks's EnterpriseConsole and CentralConfig web sites have NTLM provider enabled and based on the discussions had so far perhaps also System Platform and possibly other products as well would use NTLM.

So the question is that:
-Can it be confirmed which AVEVA products (WorkTasks, Enterprise Integrator, System Platform, Communication Drivers) really use NTLM authentication?
-What are the proposed actions to take and inform to end customers to handle its end of life/support in a year?
-Does AVEVA have already some guidance to take care of that topic?

  • I can confirm the fact that System Platform, Historian and a large part of it's components use NTLM. We tried to inquire about this to support.

    Some of the components include, "Change Network Account", polls to Historian, and probably more if not all.

    From our customer which will remain anonymous, after we had tried getting System Platform Up and Running with a NTLM BLOCK in place:

    "During testing I found that the problem is that the application use NTLM

     

    NTLM is not allowed as an authentication type in our network. We require KERBEROS.

     

    NTLM has been recommended to be replaced with Kerberos for years. I have seen posts as far as back in 2011 when it was recommended to stop using NTLM. But I assume these recommendations are even far older as NTLM belongs to the 1990s (created in 1993). Even Kerberos is old as hell (even older than NTLM), but NTLM was made as an “upgrade” of an even older Microsoft technology for uses on operating systems that did not support the back then more secure Kerberos method. Microsoft did not embrace Kerberos before Windows 2000, but has since around 2000 been Microsoft’s default authentication method in Windows and AD services.

     

    Also, Microsoft just recently (in October 2023) posted that they will remove support for NTLM in Windows 11 in a future patch. We can then also assume the change will come to server operating systems in the future.

     

     

    I changed a reg key on the server that block NTLM to allow this. Then it worked.

    However we use a policy to block NTLM, so this will be reset every 90 minutes.

    A bit more alarming is that I see in the NTLM log that there is also a block against our “Historian” server by the AVEVA product. I am not sure if this can be ignored, but I have a hunch that your application also use NTLM to communicate between the servers.

    This must be fixed. Is there a way to re-configure the application to use Kerberos?

     

    Is there a patch for this?"

    I would also like to know how AVEVA is preparing for this.

  • Hi,

    I'm not aware of any guidance provided (yet) but we are very much aware and plan to address this in a coming releases where applicable.