Microsoft to Phase Out NTLM in Favor of Kerberos for Stronger Authentication


Oct 14, 2023NewsroomAuthentication / Endpoint Security

Windows 11 NTLM Kerberos

Microsoft has introduced that it plans to eradicate NT LAN Manager (NTLM) in Windows 11 sooner or later, because it pivots to different strategies for authentication and bolster safety.

“The focus is on strengthening the Kerberos authentication protocol, which has been the default since 2000, and decreasing reliance on NT LAN Manager (NTLM),” the tech large stated. “New options for Windows 11 embody Initial and Pass Through Authentication Using Kerberos (IAKerb) and a neighborhood Key Distribution Center (KDC) for Kerberos.”


IAKerb allows purchasers to authenticate with Kerberos throughout a various vary of community topologies. The second characteristic, a neighborhood Key Distribution Center (KDC) for Kerberos, extends Kerberos help to native accounts.

First launched within the Nineties, NTLM is a suite of safety protocols supposed to offer authentication, integrity, and confidentiality to customers. It is a single sign-on (SSO) software that depends on a challenge-response protocol that proves to a server or area controller {that a} person is aware of the password related to an account.

It has since been supplanted by one other authentication protocol referred to as Kerberos because the launch of Windows 2000, though NTLM continues for use as a fallback mechanism.

“The primary distinction between NTLM and Kerberos is in how the 2 protocols handle authentication. NTLM depends on a three-way handshake between the shopper and server to authenticate a person,” CrowdStrike notes. “Kerberos makes use of a two-part course of that leverages a ticket granting service or key distribution middle.”


Another essential distinction is that whereas NTLM depends on password hashing, Kerberos leverages encryption.

Besides NTLM’s inherent safety weaknesses, the know-how has been rendered weak to relay assaults, doubtlessly permitting dangerous actors to intercept authentication makes an attempt and acquire unauthorized entry to community assets.

Microsoft stated it is also engaged on addressing hard-coded NTLM situations in its parts in preparation for the shift to finally disable NTLM in Windows 11, including it is making enhancements that encourage using Kerberos as a substitute of NTLM.

“All these modifications can be enabled by default and won’t require configuration for many eventualities,” Matthew Palko, Microsoft’s senior product administration lead in Enterprise and Security, stated. “NTLM will proceed to be out there as a fallback to take care of present compatibility.”

Found this text fascinating? Follow us on Twitter and LinkedIn to learn extra unique content material we publish.


Please enter your comment!
Please enter your name here