Open in app

Sign in

Write

Sign in

All about Kerberos & NTLM Authentication on Windows Systems

Aakash Raman
5 min readJun 22, 2024

--

Windows authentication is essential yet often complicated, making it a tough nut to crack for many. Microsoft’s recent move to phase out NTLM (New Technology LAN Manager) authentication in favor of Kerberos is a smart security choice. However, this shift brings added complexity, especially when dealing with multiple legacy endpoints, servers, and networks.

Hence, I wanted to shed some light on both these protocols, to understand how they work and the potential imapct of such a major decison. In the realm of Windows authentication, two significant protocols stand out: Kerberos and NTLM. Both play crucial roles in maintaining secure and efficient network operations but differ in their way of operations. Lets get started.

Kerberos Authentication

Kerberos Figure

Kerberos, a term that might sound a bit mythological, is indeed inspired by the three-headed dog from Greek mythology. In the tech world, Kerberos is a network authentication protocol designed to provide strong authentication for client-server applications across multiple Operating Systems by using secret-key cryptography and trusted third-party authentication.

Kerberos Authentication

Here’s a detailed explanation of how Kerberos Authentication works:

  • Initialization: The process begins when a client wants to access a service on the network. The client and the Key Distribution Center (KDC), think of it like the component that takes care of the entire authentication process in the Domain Controller, share a secret key, known as the master key.
  • Authentication Request: The client sends an authentication request to the Authentication Server (AS) component of the KDC, requesting access to a specific service.
  • Authentication: The AS verifies the client’s identity by prompting it to provide credentials, typically a username and password. If the credentials are valid, the AS generates a session key and a Ticket Granting Ticket (TGT) for the client. The TGT is encrypted using the client’s password or another secret key derived from it.
  • TGT Issuance: The AS sends the TGT back to the client. The TGT contains the client’s identity, a timestamp, and the session key encrypted with the KDC’s secret key.
  • Ticket Granting: With the TGT in hand, the client can request access to specific services without repeatedly authenticating to the AS. To do this, the client sends a request to the Ticket Granting Service (TGS) component of the KDC, along with the TGT obtained from the AS.
  • Service Ticket Issuance: The TGS verifies the TGT presented by the client and determines if the client is authorized to access the requested service. If authorized, the TGS issues a Service Ticket to the client. The Service Ticket contains the client’s identity, a timestamp, and a session key encrypted with the service’s secret key.
  • Service Access: The client presents the Service Ticket to the service it wants to access.
  • Service Ticket Validation: The service decrypts the Service Ticket using its secret key to verify its authenticity and validate the client’s identity. If the validation is successful, the service grants access to the client.
  • Session Establishment: Once access is granted, the client and the service establish a secure communication session using the session key contained in the Service Ticket. This session key is used to encrypt and decrypt data exchanged between the client and the service, ensuring confidentiality and integrity.
  • Session Termination: After the client completes its interaction with the service, the session is terminated, and the session key is discarded.

Overall, Kerberos provides secure authentication to verify identities, issue tickets, and establish secure communication sessions between clients and services. This helps prevent unauthorized access to network resources and ensures the confidentiality and integrity of data exchanged over the network.

NTLM Authentication

NTLM Authentication

NTLM (New Technology LAN Manager) authentication is an older authentication protocol used in Windows-based environments to authenticate users and computers. It operates by exchanging challenge-response messages between a client and a server to verify the client’s identity. Here’s how NTLM authentication works:

  • Client Authentication Request: The client sends an authentication request to the server.
  • Challenge Response: The server generates a random challenge and sends it back to the client.
  • NTLM Response: The client encrypts the challenge using its password hash and sends the encrypted response back to the server.
  • Verification: The server compares the received NTLM response with its own calculation based on the stored password hash. If the responses match, the client is authenticated, and access is granted.

Kerberos vs NTLM: Key Differences

After understanding the working of Kerberos and NTLM authentication, now let us understand the key differences between both of them depending on various usecases. Some of the usecases are:

  • Security: Kerberos is considered more secure than NTLM because it uses mutual authentication and ticket-based authorization. Kerberos relies on a trusted third-party Key Distribution Center (KDC) to issue tickets and establish secure communication sessions. NTLM, on the other hand, uses a challenge-response mechanism that may be susceptible to certain attacks, such as pass-the-hash attacks.
  • Single Sign-On (SSO): Kerberos supports single sign-on (SSO), allowing users to authenticate once and access multiple services without needing to reauthenticate. NTLM does not inherently support SSO, requiring users to authenticate separately for each service they access.
  • Scalability: Kerberos is more scalable than NTLM, particularly in large and complex network environments. Kerberos uses tickets, which can be cached by clients and reused for accessing multiple services, reducing the need for frequent authentication requests to the KDC. NTLM, on the other hand, requires a separate authentication process for each service, leading to increased network traffic and overhead.
  • Cross-Platform Compatibility: Kerberos is a cross-platform authentication protocol supported by various operating systems and platforms, including Windows, Linux, and macOS. NTLM is primarily used in Windows-based environments and may not be as widely supported across different platforms.
  • Time Sensitivity: Kerberos relies heavily on synchronized time between the involved parties. Tickets have time-stamped expirations, which means that network clocks need to be in sync to prevent authentication failures. NTLM, on the other hand does not require heavy usage of synchronised times.
  • Ease of Use: NTLM might be easier to implement in small, less complex networks, whereas Kerberos requires careful setup and time synchronization across the network.

In summary, while both NTLM and Kerberos are authentication protocols used in Windows environments, Kerberos offers superior security, scalability, and support for single sign-on compared to NTLM. Organizations transitioning from NTLM to Kerberos can benefit from improved security and efficiency in their authentication processes, which is what Microsoft did!

#windowssecurity #kerberos #ntlm #authentication #informationsecurity

Kerberos
Kerberos Authentication
Ntlm
Windows Authentication

--

--

Aakash Raman

Written by Aakash Raman

15 Followers

I am a passionate Cybersecurity Graduate from University of Maryland , College Park and want to break into the field of Cybersecurity.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams