Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Certificate-based authentication for remote access - what changes for IAM teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: Microsoft’s phased NTLM deprecation is pushing organisations toward certificate-based authentication for remote access and SaaS single sign-on, because legacy challenge-response authentication no longer fits internet-facing identity flows, according to IS Decisions. The real shift is not just protocol substitution: identity assurance now depends on device-bound certificates, certificate lifecycle control, and how well on-prem authentication extends beyond the LAN.

NHIMG editorial — based on content published by IS Decisions: NTLM replacement with certificate-based authentication for remote access

By the numbers:

Questions worth separating out

Q: How should security teams replace NTLM without breaking remote access?

A: Teams should replace NTLM in layers, starting with a dependency inventory, then moving each remote application or access path to a supported alternative such as certificate-based authentication or Kerberos where direct connectivity allows it.

Q: Why do certificate-based logins change identity governance work?

A: Certificate-based logins shift governance from password or protocol control to lifecycle control.

Q: What goes wrong when certificate lifecycle is not operationally owned?

A: When no team owns certificate lifecycle, expiry, revocation, and replacement become ad hoc troubleshooting tasks instead of controlled processes.

Practitioner guidance

  • Inventory every NTLM dependency Identify each application, remote access path, and third-party integration that still relies on NTLM before default disablement begins.
  • Treat certificate lifecycle as identity lifecycle Assign ownership for issuance, renewal, revocation, and recovery of device certificates, including where private keys are stored on endpoints such as TPM-backed hardware.
  • Separate remote access from SaaS federation design Design one control pattern for internet-facing remote access and a second for SaaS SSO, even if both use client certificates.

What's in the full article

IS Decisions's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step configuration guidance for UserLock Anywhere with certificate-based authentication enabled.
  • The specific IIS and SSL settings required to accept client certificates on the hosting server.
  • How UserLock SSO extends on-premises AD trust to SaaS sign-in with certificate validation.
  • Implementation detail for TPM-backed certificate storage on managed endpoints.

👉 Read IS Decisions's analysis of replacing NTLM with certificate-based authentication →

Certificate-based authentication for remote access - what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

NTLM deprecation is really a certificate governance problem in disguise. The article frames a protocol transition, but the operational burden shifts to certificate issuance, renewal, validation, and revocation across remote endpoints and SaaS access paths. That makes identity assurance dependent on lifecycle discipline rather than on a single replacement protocol. Practitioners should read this as a governance change, not a transport upgrade.

A few things that frame the scale:

  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to The Critical Gaps in Machine Identity Management report.
  • 59% of companies face greater difficulties auditing machine identities, primarily due to lack of clear ownership and limited visibility.

A question worth separating out:

Q: Who should own the move from NTLM to certificate-based authentication?

A: Ownership should sit across IAM, endpoint security, and platform operations because the control spans identity policy, device storage, and remote access infrastructure. If one team owns only the protocol change, the programme will miss renewal, recovery, and trust-boundary issues that determine whether the replacement actually works.

👉 Read our full editorial: NTLM replacement with certificate-based authentication for remote access



   
ReplyQuote
Share: