Cloud Concepts

Project Mgmt. Concepts

Architecture & Design Patterns - 1

Architecture & Design Patterns - 2

Security Practices

.NET Core Essentials-1

.NET Core Essentials-2

.NET Core Essentials-3

.NET Core Essentials-4

.NET Core Essentials-5

.NET Core Essentials-6

.NET Core Essentials-7

Previous Result Object Pattern Containerization Next

Authentication Protocols NTLM and Kerbos

NTLM Overview

NTLM (NT LAN Manager)

NTLM (NT LAN Manager) is a legacy authentication protocol developed by Microsoft to verify users and computers in Windows environments. It’s been around since the early days of Windows networking and is still used in certain scenarios for compatibility reasons.

Key Features of NTLM

  • Challenge-Response Mechanism: Instead of sending passwords over the network, NTLM uses a challenge-response process to authenticate users.
  • Hash-Based Authentication: It relies on hashing the password and using that hash to encrypt a server-generated challenge.
  • Single Sign-On (SSO): NTLM supports basic SSO, allowing users to authenticate once and access multiple services—though not as seamlessly as newer protocols like Kerberos.

How NTLM Works

  1. Client sends a negotiation message to the server.
  2. Server replies with a challenge (a random number).
  3. Client encrypts the challenge using a hash of the user’s password and sends it back.
  4. Server forwards this to a domain controller, which performs the same encryption and compares results.
  5. If the hashes match, the user is authenticated.

Why It's Being Phased Out

NTLM is vulnerable to attacks like pass-the-hash. It lacks modern security features like multi-factor authentication and delegation. Microsoft recommends using Kerberos or other modern protocols in Active Directory environments.

Still, NTLM hangs around in workgroup setups, legacy systems, and non-domain environments. If you're managing Windows infrastructure, it's worth knowing where NTLM is still active—and how to phase it out safely.

Kerberos Overview

Kerberos

Kerberos is a secure network authentication protocol designed to allow individuals and services to prove their identity over non-secure networks—without transmitting passwords. It’s widely used in enterprise environments, especially those running Windows Active Directory, and was originally developed by MIT in the 1980s.

Core Concepts of Kerberos

  • Ticket-Based Authentication: Instead of sending credentials repeatedly, users receive encrypted “tickets” that grant access to services.
  • Mutual Authentication: Both the client and server verify each other’s identity.
  • Centralized Trust: Relies on a trusted third party called the Key Distribution Center (KDC).

How Kerberos Works

  1. User logs in and requests access to a service.
  2. The Authentication Server (AS) verifies the user and issues a Ticket Granting Ticket (TGT).
  3. The user presents the TGT to the Ticket Granting Server (TGS) to get a service-specific ticket.
  4. The user sends this ticket to the target service, which verifies it and grants access.

Key Components

Component Role
Authentication Server (AS) Verifies user credentials and issues TGT
Ticket Granting Server (TGS) Issues service tickets based on TGT
Kerberos Database Stores user and service credentials securely
Client & Server Communicate using encrypted tickets for secure access

NTLM vs. Kerberos

Feature NTLM Kerberos
Authentication Type Challenge-response Ticket-based
Security Weaker (hashing) Stronger (encryption)
SSO Support Limited Full SSO across services
Time Sync Required No Yes
Deployment Era Pre-Windows 2000 Windows 2000 and later
Scalability Low High

Limitations

  • Requires accurate time synchronization across devices.
  • Assumes secure workstations.
  • Each service must be Kerberos-aware.
  • Vulnerable if the KDC is compromised.

Despite these, Kerberos remains one of the most robust and widely adopted authentication protocols today.

Back to Index
Previous Result Object Pattern Containerization Next
*