diff --git a/docs-xml/smbdotconf/security/sasl_bind_allow_ntlmssp.xml b/docs-xml/smbdotconf/security/sasl_bind_allow_ntlmssp.xml
new file mode 100644
index 0000000000..713cf2bb87
--- /dev/null
+++ b/docs-xml/smbdotconf/security/sasl_bind_allow_ntlmssp.xml
@@ -0,0 +1,11 @@
+<samba:parameter name="sasl bind allow ntlmssp"
+                 context="G"
+                type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter determines whether or not sasl bind will
+    fallback to NTLMSSP if kerberos authentication fails.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 2da5d66da6..a8c9525b38 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -4899,6 +4899,14 @@ struct parm_struct parm_table[] = {
                .special        = NULL,
                .enum_list      = NULL,
        },
+       {
+               .label          = "sasl bind allow ntlmssp",
+               .type           = P_BOOL,
+               .p_class        = P_GLOBAL,
+               .offset         = GLOBAL_VAR(sasl_bind_allow_ntlmssp),
+               .special        = NULL,
+               .enum_list      = NULL,
+       },

        {NULL,  P_BOOL,  P_NONE,  0,  NULL,  NULL,  0}
 };
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 103120d8ec..1f6d52f5f0 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -152,6 +152,10 @@ static ADS_STATUS libnet_connect_ads(const char *ad_domain_name,
                my_ads->auth.password = SMB_STRDUP(password);
        }

+       if(lp_sasl_bind_allow_ntlmssp() && password) {
+               my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+       }
+
        status = ads_connect_user_creds(my_ads);
        if (!ADS_ERR_OK(status)) {
                ads_destroy(&my_ads);
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index d543fc28fc..9115cdbae8 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -1065,6 +1065,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        Globals.ignore_local_unix_groups = true;

        Globals.enable_preferred_dc = true;
+       Globals.sasl_bind_allow_ntlmssp = true;

        /* Now put back the settings that were set with lp_set_cmdline() */
        apply_lp_set_cmdline();
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 23ab0f9133..e5a4b6fd6a 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -297,6 +297,10 @@ retry:
                }
        }

+       if(lp_sasl_bind_allow_ntlmssp() && (ads->auth.password != NULL)) {
+               ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+       }
+
        status = ads_connect(ads);

        if (!ADS_ERR_OK(status)) {