NTLM authentication

I can confirm the fact that System Platform, Historian and a large part of it's components use NTLM. We tried to inquire about this to support.

Some of the components include, "Change Network Account", polls to Historian, and probably more if not all.

From our customer which will remain anonymous, after we had tried getting System Platform Up and Running with a NTLM BLOCK in place:

"During testing I found that the problem is that the application use NTLM

NTLM is not allowed as an authentication type in our network. We require KERBEROS.

NTLM has been recommended to be replaced with Kerberos for years. I have seen posts as far as back in 2011 when it was recommended to stop using NTLM. But I assume these recommendations are even far older as NTLM belongs to the 1990s (created in 1993). Even Kerberos is old as hell (even older than NTLM), but NTLM was made as an “upgrade” of an even older Microsoft technology for uses on operating systems that did not support the back then more secure Kerberos method. Microsoft did not embrace Kerberos before Windows 2000, but has since around 2000 been Microsoft’s default authentication method in Windows and AD services.

Also, Microsoft just recently (in October 2023) posted that they will remove support for NTLM in Windows 11 in a future patch. We can then also assume the change will come to server operating systems in the future.

I changed a reg key on the server that block NTLM to allow this. Then it worked.

However we use a policy to block NTLM, so this will be reset every 90 minutes.

A bit more alarming is that I see in the NTLM log that there is also a block against our “Historian” server by the AVEVA product. I am not sure if this can be ignored, but I have a hunch that your application also use NTLM to communicate between the servers.

This must be fixed. Is there a way to re-configure the application to use Kerberos?

Is there a patch for this?"

I would also like to know how AVEVA is preparing for this.

I can confirm the fact that System Platform, Historian and a large part of it's components use NTLM. We tried to inquire about this to support.

Some of the components include, "Change Network Account", polls to Historian, and probably more if not all.

From our customer which will remain anonymous, after we had tried getting System Platform Up and Running with a NTLM BLOCK in place:

"During testing I found that the problem is that the application use NTLM

NTLM is not allowed as an authentication type in our network. We require KERBEROS.

NTLM has been recommended to be replaced with Kerberos for years. I have seen posts as far as back in 2011 when it was recommended to stop using NTLM. But I assume these recommendations are even far older as NTLM belongs to the 1990s (created in 1993). Even Kerberos is old as hell (even older than NTLM), but NTLM was made as an “upgrade” of an even older Microsoft technology for uses on operating systems that did not support the back then more secure Kerberos method. Microsoft did not embrace Kerberos before Windows 2000, but has since around 2000 been Microsoft’s default authentication method in Windows and AD services.

Also, Microsoft just recently (in October 2023) posted that they will remove support for NTLM in Windows 11 in a future patch. We can then also assume the change will come to server operating systems in the future.

I changed a reg key on the server that block NTLM to allow this. Then it worked.

However we use a policy to block NTLM, so this will be reset every 90 minutes.

A bit more alarming is that I see in the NTLM log that there is also a block against our “Historian” server by the AVEVA product. I am not sure if this can be ignored, but I have a hunch that your application also use NTLM to communicate between the servers.

This must be fixed. Is there a way to re-configure the application to use Kerberos?

Is there a patch for this?"

I would also like to know how AVEVA is preparing for this.