Skip to content

Commit 24bbac2

Browse files
mjcheethammjcheetham
authored
Update Kerberos/NTLM docs (#2299)
Clarify the risks of NTLM fallback during SPNEGO negotiation and offer instructions for disabling NTLM. Detail the bug and workaround for enabling Kerberos authentication in Git.
2 parents bffb1aa + 5687c1c commit 24bbac2

File tree

1 file changed

+36
-0
lines changed

1 file changed

+36
-0
lines changed

docs/ntlm-kerberos.md

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,30 @@ server to agree on which authentication protocol to use (Kerberos or NTLM) based
4949
on their capabilities. Typically Kerberos is preferred if both the client and
5050
server support it, with NTLM acting as a fallback.
5151

52+
#### NTLM-over-SPNEGO
53+
54+
> [!CAUTION]
55+
> When using SPNEGO negotiation if either the client or server does not support
56+
> Kerberos, or if there is an issue with Kerberos authentication, _NTLM may be
57+
> selected as a fallback authentication protocol_.
58+
>
59+
> **This can expose you to all the security risks associated with NTLM.**
60+
61+
Currently the only way to prevent NTLM from being used as a fallback when SPNEGO
62+
negotiation is in use on Windows is to set the following registry key on your
63+
client system to the value `2` (type `DWORD`) to disable NTLM support
64+
system-wide:
65+
66+
```text
67+
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\RestrictSendingNTLMTraffic
68+
```
69+
70+
> [!WARNING]
71+
> Disabling NTLM support system-wide can have unintended consequences.
72+
>
73+
> NTLM is still often used in various legacy applications and services, and
74+
> disabling it may cause authentication failures in those applications.
75+
5276
## Built-in Support in Git
5377

5478
Git provides built-in support for NTLM and Kerberos authentication through the
@@ -61,6 +85,18 @@ On Windows, Git can use the native Windows [SSPI][sspi-wiki] (Security Support
6185
Provider Interface) to perform NTLM and Kerberos authentication. This allows Git
6286
to integrate seamlessly with the Windows authentication infrastructure.
6387

88+
> [!IMPORTANT]
89+
> Kerberos authentication is not enabled by default in Git due to a known bug.
90+
>
91+
> To workaround this bug and enable Kerberos authentication, you must set the
92+
> `http.<url>.emptyAuth` configuration option to `true` for your remote URL.
93+
>
94+
> For example:
95+
>
96+
> ```shell
97+
> git config --global http.https://example.com.emptyAuth true
98+
> ```
99+
64100
> [!NOTE]
65101
> As of Git for Windows version 2.53.0.2, **NTLM support is disabled by
66102
> default**.

0 commit comments

Comments
 (0)