Reconfigure Azure DevOps Server to use Kerberos instead of NTLM

Angel Wong

Multiple on-prem customers have reported that after upgrading Git LFS to version 3.0 (or higher), they are no longer able to authenticate against Azure DevOps Server. This is because Git LFS has dropped support for NTLM authentication in version 3.0 (Changelog from 24th September 2021).

While it is possible to roll back Git LFS to the last 2.x version with NTLM support to resolve this issue, the Git LFS team does not recommend this option. (Additionally, you may find that using Git LFS 3.x versions require use of HTTP version 1.1, as HTTP version 2 may not work, per our trials.)

This does not impact the hosted Azure DevOps service, and no changes are required there.

Switch to Kerberos authentication

We recommend re-configuring Azure DevOps Server to use Kerberos authentication instead of NTLM, if you haven’t already. Azure DevOps Server has supported Kerberos for quite some time and the Git LFS 3.0 changelog indicates that it will continue to support Kerberos moving forward. Kerberos needs to be configured in IIS, per this blog published in 2017.

The following resource may provide some guidance on how to set up Kerberos: Setting up Kerberos Authentication for a Website in IIS – Microsoft Tech Community

Note: Kerberos does not work in the Workgroup environment, which we support. For any customers who are running Azure DevOps Server on machines on Workgroup joined machines or if Domain Controllers are not available, we recommend rolling back to last Git LFS 2.x version and keep using NTLM.

After moving to Kerberos, you should be able to use it with Git LFS and Azure DevOps Server.
If you have additional concerns or questions on implementation, feel free to reach out to Support, make a comment below, or make a post on and we will help you with getting those issues resolved.