NTLM question

NTLM question

Author: githubarpyka

articles/active-directory/manage-apps/application-proxy-faq.md

@@ -93,6 +93,13 @@ If the connector servers and the web application service account are in the same
 If the connector servers and the web application service account are in different domains, Resource-based delegation is used. The delegation permissions are configured on the target web server and web application service account. This method of Constrained Delegation is relatively new. The method was introduced in Windows Server 2012, which supports cross-domain delegation by allowing the resource (web service) owner to control which machine and service accounts can delegate to it. There's no UI to assist with this configuration, so you'll need to use PowerShell.
 For more information, see the whitepaper [Understanding Kerberos Constrained Delegation with Application Proxy](https://aka.ms/kcdpaper).
 
+### Does NTLM authentication work with Azure AD Application Proxy?
+
+NTLM authentication cannot be used as pre-authentication or single sing-on method.
+NTLM authentication only works, when it will be negotiated directly between the client and the published web application.
+
+NTLM authentication causes usually a credential window popping up in the browser.
+
 ## Pass-through authentication
 
 ### Can I use Conditional Access Policies for applications published with pass-through authentication?