diff --git a/CMakeLists.txt b/CMakeLists.txt
index 95c8c62f6..33a392c63 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -36,6 +36,7 @@ option(USE_NSEC                "Support nanosecond precision file mtimes and cti
    set(USE_SHA256              "" CACHE STRING "Selects SHA256 provider. One of Builtin, HTTPS, or a specific provider. (Defaults to HTTPS.)")
 option(USE_GSSAPI              "Enable SPNEGO authentication using GSSAPI" OFF)
    set(USE_HTTP_PARSER         "" CACHE STRING "Selects HTTP Parser support: http-parser, llhttp, or builtin. (Defaults to builtin.)")
+   set(USE_AUTH_NTLM           "" CACHE STRING "Enables NTLM authentication support. One of Builtin or win32.")
 #  set(USE_XDIFF               "" CACHE STRING "Specifies the xdiff implementation; either system or builtin.")
    set(USE_REGEX               "" CACHE STRING "Selects regex provider. One of regcomp_l, pcre2, pcre, regcomp, or builtin.")
    set(USE_COMPRESSION         "" CACHE STRING "Selects compression backend. Either builtin or zlib.")
@@ -68,13 +69,6 @@ option(CMAKE_C_EXTENSIONS      "Whether compiler extensions are supported"
 option(ENABLE_WERROR           "Enable compilation with -Werror"                       OFF)
 
 if(UNIX)
-	# NTLM client requires crypto libraries from the system HTTPS stack
-	if(USE_HTTPS STREQUAL "OFF")
-		option(USE_NTLMCLIENT  "Enable NTLM support on Unix."                  OFF)
-	else()
-		option(USE_NTLMCLIENT  "Enable NTLM support on Unix."                   ON)
-	endif()
-
 	option(ENABLE_REPRODUCIBLE_BUILDS "Enable reproducible builds"                 OFF)
 endif()
 
diff --git a/cmake/SelectAuthNTLM.cmake b/cmake/SelectAuthNTLM.cmake
new file mode 100644
index 000000000..105c4bbc3
--- /dev/null
+++ b/cmake/SelectAuthNTLM.cmake
@@ -0,0 +1,46 @@
+include(SanitizeBool)
+
+if(USE_AUTH_NTLM STREQUAL "" AND NOT USE_NTLMCLIENT STREQUAL "")
+        sanitizebool(USE_NTLMCLIENT)
+	set(USE_AUTH_NTLM "${USE_NTLMCLIENT}")
+endif()
+
+sanitizebool(USE_AUTH_NTLM)
+
+if(USE_AUTH_NTLM STREQUAL "")
+	set(USE_AUTH_NTLM ON)
+endif()
+
+if(USE_AUTH_NTLM STREQUAL ON AND UNIX)
+	set(USE_AUTH_NTLM "builtin")
+elseif(USE_AUTH_NTLM STREQUAL ON AND WIN32)
+	set(USE_AUTH_NTLM "sspi")
+elseif(USE_AUTH_NTLM STREQUAL ON)
+	message(FATAL_ERROR "ntlm support was requested but no backend is available")
+endif()
+
+if(USE_AUTH_NTLM STREQUAL "builtin")
+	if(NOT UNIX)
+		message(FATAL_ERROR "ntlm support requested via builtin provider, but builtin ntlmclient only supports posix platforms")
+	endif()
+
+        add_subdirectory("${PROJECT_SOURCE_DIR}/deps/ntlmclient" "${PROJECT_BINARY_DIR}/deps/ntlmclient")
+        list(APPEND LIBGIT2_DEPENDENCY_INCLUDES "${PROJECT_SOURCE_DIR}/deps/ntlmclient")
+        list(APPEND LIBGIT2_DEPENDENCY_OBJECTS "$<TARGET_OBJECTS:ntlmclient>")
+
+	set(GIT_AUTH_NTLM 1)
+	set(GIT_AUTH_NTLM_BUILTIN 1)
+	add_feature_info("NTLM authentication" ON "using bundled ntlmclient")
+elseif(USE_AUTH_NTLM STREQUAL "sspi")
+	if(NOT WIN32)
+		message(FATAL_ERROR "SSPI is only available on Win32")
+	endif()
+
+	set(GIT_AUTH_NTLM 1)
+	set(GIT_AUTH_NTLM_SSPI 1)
+	add_feature_info("NTLM authentication" ON "using Win32 SSPI")
+elseif(USE_AUTH_NTLM STREQUAL OFF OR USE_AUTH_NTLM STREQUAL "")
+	add_feature_info("NTLM authentication" OFF "NTLM support is disabled")
+else()
+	message(FATAL_ERROR "unknown ntlm option: ${USE_AUTH_NTLM}")
+endif()
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 7e0106cfa..02895f980 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -45,6 +45,7 @@ include(SelectXdiff)
 include(SelectSSH)
 include(SelectCompression)
 include(SelectI18n)
+include(SelectAuthNTLM)
 
 #
 # Platform support
@@ -168,19 +169,6 @@ if(USE_THREADS)
 endif()
 add_feature_info(threadsafe USE_THREADS "threadsafe support")
 
-#
-# Optional bundled features
-#
-
-# ntlmclient
-if(USE_NTLMCLIENT)
-	set(GIT_NTLM 1)
-	add_subdirectory("${PROJECT_SOURCE_DIR}/deps/ntlmclient" "${PROJECT_BINARY_DIR}/deps/ntlmclient")
-	list(APPEND LIBGIT2_DEPENDENCY_INCLUDES "${PROJECT_SOURCE_DIR}/deps/ntlmclient")
-	list(APPEND LIBGIT2_DEPENDENCY_OBJECTS "$<TARGET_OBJECTS:ntlmclient>")
-endif()
-add_feature_info(ntlmclient GIT_NTLM "NTLM authentication support for Unix")
-
 #
 # Include child projects
 #
diff --git a/src/libgit2/libgit2.c b/src/libgit2/libgit2.c
index 36a001e49..f51dce3e0 100644
--- a/src/libgit2/libgit2.c
+++ b/src/libgit2/libgit2.c
@@ -98,7 +98,7 @@ int git_libgit2_features(void)
 #ifdef GIT_I18N_ICONV
 		| GIT_FEATURE_I18N
 #endif
-#if defined(GIT_NTLM) || defined(GIT_WIN32)
+#if defined(GIT_AUTH_NTLM)
 		| GIT_FEATURE_AUTH_NTLM
 #endif
 #if defined(GIT_GSSAPI) || defined(GIT_GSSFRAMEWORK) || defined(GIT_WIN32)
@@ -200,10 +200,12 @@ const char *git_libgit2_feature_backend(git_feature_t feature)
 		break;
 
 	case GIT_FEATURE_AUTH_NTLM:
-#if defined(GIT_NTLM)
-		return "ntlmclient";
-#elif defined(GIT_WIN32)
+#if defined(GIT_AUTH_NTLM_BUILTIN)
+		return "builtin";
+#elif defined(GIT_AUTH_NTLM_SSPI)
 		return "sspi";
+#elif defined(GIT_AUTH_NTLM)
+		GIT_ASSERT_WITH_RETVAL(!"Unknown NTLM backend", NULL);
 #endif
 		break;
 
diff --git a/src/libgit2/transports/auth_ntlm.h b/src/libgit2/transports/auth_ntlm.h
index 33406ae94..b6610d940 100644
--- a/src/libgit2/transports/auth_ntlm.h
+++ b/src/libgit2/transports/auth_ntlm.h
@@ -13,7 +13,7 @@
 /* NTLM requires a full request/challenge/response */
 #define GIT_AUTH_STEPS_NTLM 2
 
-#if defined(GIT_NTLM) || defined(GIT_WIN32)
+#if defined(GIT_AUTH_NTLM)
 
 #if defined(GIT_OPENSSL)
 # define CRYPT_OPENSSL
@@ -31,7 +31,7 @@ extern int git_http_auth_ntlm(
 
 #define git_http_auth_ntlm git_http_auth_dummy
 
-#endif /* GIT_NTLM */
+#endif /* GIT_AUTH_NTLM */
 
 #endif
 
diff --git a/src/libgit2/transports/auth_ntlmclient.c b/src/libgit2/transports/auth_ntlmclient.c
index 6f26a6179..b8c6e2353 100644
--- a/src/libgit2/transports/auth_ntlmclient.c
+++ b/src/libgit2/transports/auth_ntlmclient.c
@@ -12,7 +12,7 @@
 #include "auth.h"
 #include "git2/sys/credential.h"
 
-#ifdef GIT_NTLM
+#ifdef GIT_AUTH_NTLM_BUILTIN
 
 #include "ntlmclient.h"
 
@@ -224,4 +224,4 @@ int git_http_auth_ntlm(
 	return 0;
 }
 
-#endif /* GIT_NTLM */
+#endif /* GIT_AUTH_NTLM_BUILTIN */
diff --git a/src/util/git2_features.h.in b/src/util/git2_features.h.in
index af7b5dd27..27c2f688f 100644
--- a/src/util/git2_features.h.in
+++ b/src/util/git2_features.h.in
@@ -36,7 +36,10 @@
 #cmakedefine GIT_SSH_LIBSSH2 1
 #cmakedefine GIT_SSH_LIBSSH2_MEMORY_CREDENTIALS 1
 
-#cmakedefine GIT_NTLM 1
+#cmakedefine GIT_AUTH_NTLM 1
+#cmakedefine GIT_AUTH_NTLM_BUILTIN 1
+#cmakedefine GIT_AUTH_NTLM_SSPI 1
+
 #cmakedefine GIT_GSSAPI 1
 #cmakedefine GIT_GSSFRAMEWORK 1
 
diff --git a/tests/libgit2/core/features.c b/tests/libgit2/core/features.c
index 69426c040..26e3e51b1 100644
--- a/tests/libgit2/core/features.c
+++ b/tests/libgit2/core/features.c
@@ -33,7 +33,7 @@ void test_core_features__basic(void)
 	cl_assert((caps & GIT_FEATURE_I18N) != 0);
 #endif
 
-#if defined(GIT_NTLM) || defined(GIT_WIN32)
+#if defined(GIT_AUTH_NTLM)
 	cl_assert((caps & GIT_FEATURE_AUTH_NTLM) != 0);
 #endif
 #if defined(GIT_GSSAPI) || defined(GIT_GSSFRAMEWORK) || defined(GIT_WIN32)
@@ -164,10 +164,12 @@ void test_core_features__backends(void)
 	cl_assert(i18n == NULL);
 #endif
 
-#if defined(GIT_NTLM)
-	cl_assert_equal_s("ntlmclient", ntlm);
-#elif defined(GIT_WIN32)
+#if defined(GIT_AUTH_NTLM_BUILTIN)
+	cl_assert_equal_s("builtin", ntlm);
+#elif defined(GIT_AUTH_NTLM_SSPI)
 	cl_assert_equal_s("sspi", ntlm);
+#elif defined(GIT_AUTH_NTLM)
+	cl_assert(0);
 #else
 	cl_assert(ntlm == NULL);
 #endif