Disable NTLM with Exchange 2016

18 views
Skip to first unread message

Mayo, Bill

unread,
Oct 27, 2021, 4:12:54 PM10/27/21
to ntexc...@googlegroups.com

Due to security recommendations, I started looking into disabling NTLM in our domain. As a first step, turned on NTLM auditing and see that the vast majority of traffic is related to our Exchange 2016 environment. I tried researching how to disable NTLM for Exchange, but haven’t gotten a clear picture. I see where there is a Microsoft article for how to do this with Exchange 2019 (Disabling Legacy Authentication in Exchange Server 2019 - Microsoft Tech Community), but I am not seeing the same for 2016, which suggests maybe it is not possible. But I did find info on getting Exchange 2016 to use Kerberos for CAS, which maybe suggests there is a way (Configure Kerberos authentication for load-balanced Client Access services | Microsoft Docs).

 

I hope I am just not hitting the correct search phrase to get a definitive answer. Can anybody point me to any guidance on: 1) is it currently possible to disable NTLM when using Exchange 2016, and 2) if so, is there anything needed other than what is documented in the 2nd link above?

 

Thanks for any help,

Bill Mayo

Michael B. Smith

unread,
Oct 27, 2021, 4:46:25 PM10/27/21
to ntexc...@googlegroups.com

I don’t think you can completely remove NTLM from Exchange (more than single-server Exchange). Clusters use both Kerberos and NTLM until Server 2019. Certain things like cross-server move-mailbox also use NTLM.

 

You can reduce it, and certainly use “modern” NTLM, but not remove it.

 

And yes, you need to remove the NTLM provider as an option in each IIS vDir that accepts IWA.

 

--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntexchange+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/38ab468f1fa54dfdb1b6ad6562b2a8ba%40pittcountync.gov.

Mayo, Bill

unread,
Oct 27, 2021, 4:56:31 PM10/27/21
to ntexc...@googlegroups.com

Thanks for the info. I took at look at IIS and see that most applications were set to allow Anonymous and Windows authentications (like in your screenshot). There were some, like OAB, that only allowed Windows Authentication. It seems like removing that would break OAB. Is there any way to know from which applications it is “safe” to remove authentication? And would it be necessary to follow the Microsoft article about enabling Kerberos for load-balanced CAS—I assume yes. I do suppose it is possible the extremely talented fellow that helped set us up might have done that; it wasn’t immediately obvious to me how to confirm/deny that may already be in place and I haven’t had time to sit down and try to figure it out.

Mayo, Bill

unread,
Oct 27, 2021, 5:03:05 PM10/27/21
to ntexc...@googlegroups.com

Sorry, just realized that I missed an important aspect of what you show below in regards to the provider. Makes more sense now. That said, is there any specific thing that is likely to break if you remove NTLM under providers?

 

 

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> On Behalf Of Mayo, Bill
Sent: Wednesday, October 27, 2021 4:56 PM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Disable NTLM with Exchange 2016

 

Thanks for the info. I took at look at IIS and see that most applications were set to allow Anonymous and Windows authentications (like in your screenshot). There were some, like OAB, that only allowed Windows Authentication. It seems like removing that would break OAB. Is there any way to know from which applications it is “safe” to remove authentication? And would it be necessary to follow the Microsoft article about enabling Kerberos for load-balanced CAS—I assume yes. I do suppose it is possible the extremely talented fellow that helped set us up might have done that; it wasn’t immediately obvious to me how to confirm/deny that may already be in place and I haven’t had time to sit down and try to figure it out.

 

 

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> On Behalf Of Michael B. Smith
Sent: Wednesday, October 27, 2021 4:46 PM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Disable NTLM with Exchange 2016

 

I don’t think you can completely remove NTLM from Exchange (more than single-server Exchange). Clusters use both Kerberos and NTLM until Server 2019. Certain things like cross-server move-mailbox also use NTLM.

 

You can reduce it, and certainly use “modern” NTLM, but not remove it.

 

And yes, you need to remove the NTLM provider as an option in each IIS vDir that accepts IWA.

 

cid:image001.png@01D7CB54.59088160

 

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> On Behalf Of Mayo, Bill
Sent: Wednesday, October 27, 2021 4:13 PM
To: ntexc...@googlegroups.com
Subject: [ntexchange] Disable NTLM with Exchange 2016

 

Due to security recommendations, I started looking into disabling NTLM in our domain. As a first step, turned on NTLM auditing and see that the vast majority of traffic is related to our Exchange 2016 environment. I tried researching how to disable NTLM for Exchange, but haven’t gotten a clear picture. I see where there is a Microsoft article for how to do this with Exchange 2019 (Disabling Legacy Authentication in Exchange Server 2019 - Microsoft Tech Community), but I am not seeing the same for 2016, which suggests maybe it is not possible. But I did find info on getting Exchange 2016 to use Kerberos for CAS, which maybe suggests there is a way (Configure Kerberos authentication for load-balanced Client Access services | Microsoft Docs).

 

I hope I am just not hitting the correct search phrase to get a definitive answer. Can anybody point me to any guidance on: 1) is it currently possible to disable NTLM when using Exchange 2016, and 2) if so, is there anything needed other than what is documented in the 2nd link above?

 

Thanks for any help,

Bill Mayo

--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntexchange+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/38ab468f1fa54dfdb1b6ad6562b2a8ba%40pittcountync.gov.

--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntexchange+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/074c01603b4847ed80cec64fc6ef4d50%40smithcons.com.

--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntexchange+...@googlegroups.com.

Michael B. Smith

unread,
Oct 27, 2021, 5:12:27 PM10/27/21
to ntexc...@googlegroups.com

Note: I did not say “remove authentication”, I said “remove the NTLM provider”. That means “Negotiate” is still there, which supports Kerberos.

 

I’ve done this at a couple places recently for internal apps.

 

The fellow who did your setup didn’t enable Kerberos for load-balanced CAS. You can verify if it’s been done by running “Get-ClientAccessService -IncludeAlternateServiceAccountCredentialStatus| fl  *” in EMS. The field “AlternateServiceAccountConfiguration” will have a computer account specified (and that account will be assigned a variety of SPNs) if the configuration has been done.

Michael B. Smith

unread,
Oct 27, 2021, 5:13:18 PM10/27/21
to ntexc...@googlegroups.com

I haven’t seen anything.

 

If you use DirectAccess, you might want to test carefully. I have some vague memory that it wants NTLM.

 

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> On Behalf Of Mayo, Bill
Sent: Wednesday, October 27, 2021 5:03 PM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Disable NTLM with Exchange 2016

 

Sorry, just realized that I missed an important aspect of what you show below in regards to the provider. Makes more sense now. That said, is there any specific thing that is likely to break if you remove NTLM under providers?

 

 

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> On Behalf Of Mayo, Bill
Sent: Wednesday, October 27, 2021 4:56 PM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Disable NTLM with Exchange 2016

 

Thanks for the info. I took at look at IIS and see that most applications were set to allow Anonymous and Windows authentications (like in your screenshot). There were some, like OAB, that only allowed Windows Authentication. It seems like removing that would break OAB. Is there any way to know from which applications it is “safe” to remove authentication? And would it be necessary to follow the Microsoft article about enabling Kerberos for load-balanced CAS—I assume yes. I do suppose it is possible the extremely talented fellow that helped set us up might have done that; it wasn’t immediately obvious to me how to confirm/deny that may already be in place and I haven’t had time to sit down and try to figure it out.

 

 

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> On Behalf Of Michael B. Smith
Sent: Wednesday, October 27, 2021 4:46 PM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Disable NTLM with Exchange 2016

 

I don’t think you can completely remove NTLM from Exchange (more than single-server Exchange). Clusters use both Kerberos and NTLM until Server 2019. Certain things like cross-server move-mailbox also use NTLM.

 

You can reduce it, and certainly use “modern” NTLM, but not remove it.

 

And yes, you need to remove the NTLM provider as an option in each IIS vDir that accepts IWA.

 

 

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> On Behalf Of Mayo, Bill
Sent: Wednesday, October 27, 2021 4:13 PM
To: ntexc...@googlegroups.com
Subject: [ntexchange] Disable NTLM with Exchange 2016

 

Due to security recommendations, I started looking into disabling NTLM in our domain. As a first step, turned on NTLM auditing and see that the vast majority of traffic is related to our Exchange 2016 environment. I tried researching how to disable NTLM for Exchange, but haven’t gotten a clear picture. I see where there is a Microsoft article for how to do this with Exchange 2019 (Disabling Legacy Authentication in Exchange Server 2019 - Microsoft Tech Community), but I am not seeing the same for 2016, which suggests maybe it is not possible. But I did find info on getting Exchange 2016 to use Kerberos for CAS, which maybe suggests there is a way (Configure Kerberos authentication for load-balanced Client Access services | Microsoft Docs).

 

I hope I am just not hitting the correct search phrase to get a definitive answer. Can anybody point me to any guidance on: 1) is it currently possible to disable NTLM when using Exchange 2016, and 2) if so, is there anything needed other than what is documented in the 2nd link above?

 

Thanks for any help,

Bill Mayo

--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntexchange+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/38ab468f1fa54dfdb1b6ad6562b2a8ba%40pittcountync.gov.

--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntexchange+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/074c01603b4847ed80cec64fc6ef4d50%40smithcons.com.

--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntexchange+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/07694ab27ede4a0c83270029a6135c2c%40pittcountync.gov.

--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntexchange+...@googlegroups.com.

Mayo, Bill

unread,
Oct 28, 2021, 9:05:19 AM10/28/21
to ntexc...@googlegroups.com

The alternate service account configuration has you create a computer account for this authentication. There is also a computer account associated with the DAG. Am I correct in believing this should be 2 different computer accounts and that you should not use the DAG computer account for this purpose?

 

 

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> On Behalf Of Michael B. Smith
Sent: Wednesday, October 27, 2021 5:12 PM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Disable NTLM with Exchange 2016

 

Note: I did not say “remove authentication”, I said “remove the NTLM provider”. That means “Negotiate” is still there, which supports Kerberos.

 

I’ve done this at a couple places recently for internal apps.

 

The fellow who did your setup didn’t enable Kerberos for load-balanced CAS. You can verify if it’s been done by running “Get-ClientAccessService -IncludeAlternateServiceAccountCredentialStatus| fl  *” in EMS. The field “AlternateServiceAccountConfiguration” will have a computer account specified (and that account will be assigned a variety of SPNs) if the configuration has been done.

 

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> On Behalf Of Mayo, Bill
Sent: Wednesday, October 27, 2021 4:56 PM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Disable NTLM with Exchange 2016

 

Thanks for the info. I took at look at IIS and see that most applications were set to allow Anonymous and Windows authentications (like in your screenshot). There were some, like OAB, that only allowed Windows Authentication. It seems like removing that would break OAB. Is there any way to know from which applications it is “safe” to remove authentication? And would it be necessary to follow the Microsoft article about enabling Kerberos for load-balanced CAS—I assume yes. I do suppose it is possible the extremely talented fellow that helped set us up might have done that; it wasn’t immediately obvious to me how to confirm/deny that may already be in place and I haven’t had time to sit down and try to figure it out.

 

 

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> On Behalf Of Michael B. Smith
Sent: Wednesday, October 27, 2021 4:46 PM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Disable NTLM with Exchange 2016

 

I don’t think you can completely remove NTLM from Exchange (more than single-server Exchange). Clusters use both Kerberos and NTLM until Server 2019. Certain things like cross-server move-mailbox also use NTLM.

 

You can reduce it, and certainly use “modern” NTLM, but not remove it.

 

And yes, you need to remove the NTLM provider as an option in each IIS vDir that accepts IWA.

 

cid:image001.png@01D7CBD9.86FAE3D0

 

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> On Behalf Of Mayo, Bill
Sent: Wednesday, October 27, 2021 4:13 PM
To: ntexc...@googlegroups.com
Subject: [ntexchange] Disable NTLM with Exchange 2016

 

Due to security recommendations, I started looking into disabling NTLM in our domain. As a first step, turned on NTLM auditing and see that the vast majority of traffic is related to our Exchange 2016 environment. I tried researching how to disable NTLM for Exchange, but haven’t gotten a clear picture. I see where there is a Microsoft article for how to do this with Exchange 2019 (Disabling Legacy Authentication in Exchange Server 2019 - Microsoft Tech Community), but I am not seeing the same for 2016, which suggests maybe it is not possible. But I did find info on getting Exchange 2016 to use Kerberos for CAS, which maybe suggests there is a way (Configure Kerberos authentication for load-balanced Client Access services | Microsoft Docs).

 

I hope I am just not hitting the correct search phrase to get a definitive answer. Can anybody point me to any guidance on: 1) is it currently possible to disable NTLM when using Exchange 2016, and 2) if so, is there anything needed other than what is documented in the 2nd link above?

 

Thanks for any help,

Bill Mayo

--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntexchange+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/38ab468f1fa54dfdb1b6ad6562b2a8ba%40pittcountync.gov.

--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntexchange+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/074c01603b4847ed80cec64fc6ef4d50%40smithcons.com.

--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntexchange+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntexchange/07694ab27ede4a0c83270029a6135c2c%40pittcountync.gov.

--
You received this message because you are subscribed to the Google Groups "ntexchange" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntexchange+...@googlegroups.com.

Michael B. Smith

unread,
Oct 28, 2021, 9:09:07 AM10/28/21
to ntexc...@googlegroups.com

That’s correct, they should be two different computer accounts.

 

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> On Behalf Of Mayo, Bill
Sent: Thursday, October 28, 2021 9:05 AM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Disable NTLM with Exchange 2016

 

The alternate service account configuration has you create a computer account for this authentication. There is also a computer account associated with the DAG. Am I correct in believing this should be 2 different computer accounts and that you should not use the DAG computer account for this purpose?

 

 

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> On Behalf Of Michael B. Smith
Sent: Wednesday, October 27, 2021 5:12 PM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Disable NTLM with Exchange 2016

 

Note: I did not say “remove authentication”, I said “remove the NTLM provider”. That means “Negotiate” is still there, which supports Kerberos.

 

I’ve done this at a couple places recently for internal apps.

 

The fellow who did your setup didn’t enable Kerberos for load-balanced CAS. You can verify if it’s been done by running “Get-ClientAccessService -IncludeAlternateServiceAccountCredentialStatus| fl  *” in EMS. The field “AlternateServiceAccountConfiguration” will have a computer account specified (and that account will be assigned a variety of SPNs) if the configuration has been done.

 

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> On Behalf Of Mayo, Bill
Sent: Wednesday, October 27, 2021 4:56 PM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Disable NTLM with Exchange 2016

 

Thanks for the info. I took at look at IIS and see that most applications were set to allow Anonymous and Windows authentications (like in your screenshot). There were some, like OAB, that only allowed Windows Authentication. It seems like removing that would break OAB. Is there any way to know from which applications it is “safe” to remove authentication? And would it be necessary to follow the Microsoft article about enabling Kerberos for load-balanced CAS—I assume yes. I do suppose it is possible the extremely talented fellow that helped set us up might have done that; it wasn’t immediately obvious to me how to confirm/deny that may already be in place and I haven’t had time to sit down and try to figure it out.

 

 

From: ntexc...@googlegroups.com <ntexc...@googlegroups.com> On Behalf Of Michael B. Smith
Sent: Wednesday, October 27, 2021 4:46 PM
To: ntexc...@googlegroups.com
Subject: [ntexchange] RE: Disable NTLM with Exchange 2016

 

I don’t think you can completely remove NTLM from Exchange (more than single-server Exchange). Clusters use both Kerberos and NTLM until Server 2019. Certain things like cross-server move-mailbox also use NTLM.

 

You can reduce it, and certainly use “modern” NTLM, but not remove it.

 

And yes, you need to remove the NTLM provider as an option in each IIS vDir that accepts IWA.

 

Mayo, Bill

unread,
Oct 28, 2021, 9:14:26 AM10/28/21
to ntexc...@googlegroups.com

Thanks for all the helpful information. To summarize, it seems that the general process should be:

  1. Create the alternate service account.
  2. Configure Exchange to use the alternate service account.
  3. At this point, if “Negotiate” is at the top of the list on relevant IIS applications, Kerberos should be being used and NTLM auditing should reflect that.
  4. To turn off NTLM, go into respective IIS applications and remove NTLM from “Enabled Providers” on the “Windows Authentication” authentication type.

cid:image001.png@01D7CBDB.7ED20B50

Michael B. Smith

unread,
Oct 28, 2021, 9:49:35 AM10/28/21
to ntexc...@googlegroups.com

In re: [3] – I honestly don’t know for certain how that order is selected, and I wouldn’t be surprised if it depends on browser version and OS version.

 

If kernel-mode is selected, I know that Kerberos is preferred by the server.

 

In general, when a browser tries to access a resource that requires authentication, it gets returned an error by IIS (a 401) and that error includes a header which says the enabled providers: “WWW-Authenticate: Negotiate” and/or “WWW-Authenticate: NTLM”. Then the browser gets to choose.

 

Here are a couple of articles, but they aren’t definitive as to ordering:

 

https://techcommunity.microsoft.com/t5/iis-support-blog/windows-authentication-http-request-flow-in-iis/ba-p/324645

https://docs.microsoft.com/en-us/troubleshoot/iis/troubleshoot-kerberos-failures-ie

 

Of particular interesting note – the second article says that by default, Kerberos isn’t supported if you are accessing a site on localhost.

Mayo, Bill

unread,
Oct 28, 2021, 10:10:43 AM10/28/21
to ntexc...@googlegroups.com

That is great information. I feel like I have a much better understanding at this point and have a direction. As always, thanks so much for your help!

cid:image001.png@01D7CBE3.E2743400

Reply all
Reply to author
Forward
0 new messages