diff --git a/http.c b/http.c
index 2209006b56..e72adb5db6 100644
--- a/http.c
+++ b/http.c
@@ -1900,6 +1900,17 @@ static int handle_curl_result(struct slot_results *results)
 			credential_reject(the_repository, &http_auth);
 			if (always_auth_proactively())
 				http_proactive_auth = PROACTIVE_AUTH_NONE;
+			if ((results->auth_avail & CURLAUTH_NTLM) &&
+			    !(http_auth_any & CURLAUTH_NTLM)) {
+				warning(_("Due to its cryptographic weaknesses, "
+					  "NTLM authentication has been\n"
+					  "disabled in Git by default. You can "
+					  "re-enable it for trusted servers\n"
+					  "by running:\n\n"
+					  "git config set "
+					  "http.%s://%s.allowNTLMAuth true"),
+					http_auth.protocol, http_auth.host);
+			}
 			return HTTP_NOAUTH;
 		} else {
 			http_auth_methods &= ~CURLAUTH_GSSNEGOTIATE;
diff --git a/t/t5563-simple-http-auth.sh b/t/t5563-simple-http-auth.sh
index 822d64ed5e..303f858964 100755
--- a/t/t5563-simple-http-auth.sh
+++ b/t/t5563-simple-http-auth.sh
@@ -731,7 +731,8 @@ test_expect_success NTLM 'access using NTLM auth' '
 
 	test_config_global credential.helper test-helper &&
 	test_must_fail env GIT_TRACE_CURL=1 git \
-		ls-remote "$HTTPD_URL/ntlm_auth/repo.git" &&
+		ls-remote "$HTTPD_URL/ntlm_auth/repo.git" 2>err &&
+	test_grep "allowNTLMAuth" err &&
 	GIT_TRACE_CURL=1 git -c http.$HTTPD_URL.allowNTLMAuth=true \
 		ls-remote "$HTTPD_URL/ntlm_auth/repo.git"
 '