Publish an application with NTLM authentication

Mountain Pond 1,346

Hello, Azure has an authentication application that is configured to use the NTLM AD provider. This is a virtual machine with IIS and users logged into the domain transparently open the site without authentication.

We would like to protect applications using WAF2, as well as make it secure.

As it turned out, Application Gateway v2 does not support NTLM.

Perhaps Azure has a solution that could solve this. As far as I remember, it was possible to find compromises in TMG UAG.

Thank you.

Sina Salam 4,216 Reputation points

2024-05-11T00:31:21.8266667+00:00
Hello Mountain Pond,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

Problem

Sequel to your questions, I understand that you need to secure an application hosted on a virtual machine in Azure, currently utilizing NTLM authentication. You also aim to implement Azure Web Application Firewall v2 (WAF2) for enhanced security. However, Azure Application Gateway v2 does not support NTLM authentication, and this caused reasons for necessitating an alternative solution.

Scenario

Mountain Pond runs an app on a virtual machine in Azure. It's set up with NTLM authentication, so domain users can easily get in. But they're worried about security and want to use Azure Web Application Firewall v2 (WAF2) to shield the app from web attacks. However, the attempts to use Azure Application Gateway v2 for this purpose are hindered by its lack of support for NTLM authentication.

Solution

This prescribed solution was based on the scenario given and your questions, while focusing on the problem statement. To address your specific scenario of securing an application with NTLM authentication in Azure while implementing Azure Web Application Firewall v2 (WAF2), we can devise a solution leveraging Azure services strategically.

To achieve these, kindly follow the steps and the links for more details:

Setup and configure Azure Active Directory to manage user identities and enable Single Sign-On (SSO). https://docs.microsoft.com/en-us/azure/active-directory/

Implement Azure Front Door to act as a global entry point for your application, providing SSL termination, load balancing, and DDoS protection. https://learn.microsoft.com/en-us/azure/security/fundamentals/network-best-practices

Configure Azure Application Gateway (AG) with WAF2. https://docs.microsoft.com/en-us/azure/application-gateway/

Integration with Virtual Machine Hosting the Application while configuring IIS to authenticate users using NTLM. https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/windowsauthentication/enablewindowsauthentication

Implement Network Security Groups (NSGs) and Access Control Lists (ACLs) to control traffic flow to and from your virtual machine and Application Gateway. https://docs.microsoft.com/en-us/azure/security-center/network-security-best-practices

Finally

You can secure your application with NTLM authentication in Azure while leveraging Azure Web Application Firewall v2 (WAF2) for enhanced protection against web-based attacks. Each step in the documentation ensures a comprehensive approach to security and compliance with best practices in Azure.

References

For more reading and information, kindly use the additional resources available by the right side of this page and the following links.

Source: Azure Monitor documentation. Accessed, 5/11/2024.

Source: Microsoft Entra ID documentation. Accessed, 5/11/2024.

Source: Azure best practices for network security. Accessed, 5/11/2024.

Source: Azure Application Gateway documentation. Accessed, 5/11/2024.

Source: Windows Authentication. Accessed, 5/11/2024.

Accept Answer

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam
Mountain Pond 1,346 Reputation points

2024-05-12T12:41:55.8533333+00:00

Is it generated by AI?

That's an absolute assumption.

But glad your issue is solved.

Accepted answer

ChaitanyaNaykodi-MSFT 23,426 Reputation points Microsoft Employee

2024-05-11T03:40:34.8866667+00:00

@Mountain Pond

Thank you for reaching out.

I understand that you have an Azure virtual machine with IIS configured for NTLM AD provider authentication. This allows domain users to access the site transparently. However, you want to improve security and utilize WAF2 for protection. Unfortunately, you discovered Application Gateway v2 doesn't support NTLM.

Yes, your understanding here is correct and Application Gateway v2 doesn't support NTLM. The Azure Front Door Service is also not validated to work alongside NTLM authentication and I checked internally can could find that customers have run into issues while using Azure Front Door Service with NTLM auth.

The recommended solution in this case is to update authentication method instead. It will also help if you could upvote this feedback item for this request on our feedback portal.

If it helps you can also go through this blog post on how the windows team is reducing dependencies on NTLM.

Hope this helps! Please let me know if you have any additional questions. Thank you!
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Publish an application with NTLM authentication

Problem

Scenario

Solution

Finally

References

Accept Answer

0 additional answers