Microsoft to Phase Out NTLM in Favor of Kerberos for Stronger Authentication

Microsoft has announced that it plans to eliminate NT LAN Manager (NTLM) in Windows 11 in the future, as it pivots to alternative methods for authentication and bolster security.

“The focus is on strengthening the Kerberos authentication protocol, which has been the default since 2000, and reducing reliance on NT LAN Manager (NTLM),” the tech giant said. “New features for Windows 11 include Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos.”

IAKerb enables clients to authenticate with Kerberos across a diverse range of network topologies. The second feature, a local Key Distribution Center (KDC) for Kerberos, extends Kerberos support to local accounts.

First introduced in the 1990s, NTLM is a suite of security protocols intended to provide authentication, integrity, and confidentiality to users. It is a single sign-on (SSO) tool that relies on a challenge-response protocol that proves to a server or domain controller that a user knows the password associated with an account.

It has since been supplanted by another authentication protocol called Kerberos since the release of Windows 2000, although NTLM continues to be used as a fallback mechanism.

“The main difference between NTLM and Kerberos is in how the two protocols manage authentication. NTLM relies on a three-way handshake between the client and server to authenticate a user,” CrowdStrike notes. “Kerberos uses a two-part process that leverages a ticket granting service or key distribution center.”

Another crucial distinction is that while NTLM relies on password hashing, Kerberos leverages encryption.

Besides NTLM’s inherent security weaknesses, the technology has been rendered vulnerable to relay attacks, potentially allowing bad actors to intercept authentication attempts and gain unauthorized access to network resources.

Microsoft said it’s also working on addressing hard-coded NTLM instances in its components in preparation for the shift to ultimately disable NTLM in Windows 11, adding it’s making improvements that encourage the use of Kerberos instead of NTLM.

“All these changes will be enabled by default and will not require configuration for most scenarios,” Matthew Palko, Microsoft’s senior product management lead in Enterprise and Security, said. “NTLM will continue to be available as a fallback to maintain existing compatibility.”