none
NTLM authentication

    Question

  • Looking for easy to read article on understanding the way NTLM authentication works.  

    Major difference between ntlm and kerboros authentication.

    Thank you for help.

    Tuesday, March 14, 2017 7:11 AM

Answers

All replies

  • Hi Saumik,

    There are few article on Technet but if you are trying to evaluate difference for implementing some applications related to authentication, I would suggest you implement on a Test/POC environment.

    So to start with NTLM, NTLM is a challenge-response style authentication protocol.In addition to authentication, the NTLM protocol optionally provides for session security—specifically message integrity and confidentiality through signing and sealing functions in NTLM. This is specifically used for Authenticate to legacy applications.

    And with Keberors--  Windows Server operating systems implement the Kerberos version 5 authentication protocol and extensions for public key authentication. The Kerberos authentication client is implemented as a security support provider (SSP) and can be accessed through the Security Support Provider Interface (SSPI). Initial user authentication is integrated with the Winlogon single sign-on architecture. The Kerberos Key Distribution Center (KDC) is integrated with other Windows Server security services running on the domain controller. The KDC uses the domain’s Active Directory directory service database as its security account database. Active Directory is required for default Kerberos implementations.

    Link over here -https://technet.microsoft.com/en-us/library/hh831472(v=ws.11).aspx


    Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

    Tuesday, March 14, 2017 10:20 AM
  • Thank-you for the information.

    Any article to learn more on NTLM and easy to understand one. I wan to learn on NTLM authentication. 

    Tuesday, March 14, 2017 10:47 AM
  • > Looking for easy to read article on understanding the way NTLM authentication works.
     
     
     
    • Proposed as answer by Wendy JiangModerator Tuesday, March 21, 2017 9:12 AM
    • Marked as answer by Rana.b Saturday, March 25, 2017 11:59 PM
    Tuesday, March 14, 2017 12:54 PM
  • This article on the serverfault.com Q&A site I think provides a terrific easy-to-understand reference on differences between NTLM and Kerberos authentication and explains each protocol, and will answer your questions:  Kerberos vs. NTLM.  In short, Keberos is the industry-standard single sign-on authentication protocol adopted by Microsoft and introduced in Windows 2000 Active Directory while NTLM is Microsoft's proprietary single sign-on authentication protocol introduced with Windows NT and still around today in Active Directory for any needs of backward compatability.  NTLM is "heavy" on the domain controllers, in that any application server the user is wanting to access has to check back with the DC on each and every authentication attempt by the NTLM client, while Kerberos is "light" on the DCs in that the application server does *not* have to check back with the DC on each and every authentication attempt, since it simply checks the Kerberos ticket one time for authentication which is then good for 10 hours.  NTLM is being slowly deprecated, while Kerberos is alive and well and will always continue to be due to it's design nature.

    Best Regards, Todd Heron | Active Directory Consultant

    Tuesday, March 14, 2017 12:54 PM
  • Here's info on how it works and how it doesn't.  https://markgamache.blogspot.com/2013/01/ntlm-challenge-response-is-100-broken.html 

    A key difference is that in Kerberos requires that clients have direct access to a DC (KDC) on port 88 and the client has to ask for secuurity tokens from the DC that it hands off to an app server.  With NTLM the app server proxies the auth'n to a DC for the client. 


    Tuesday, March 14, 2017 2:13 PM
  • Hi,
    You could compare the difference between NTLM and Kerberos authentication to better understand NTLM authentication:
    http://windowsitpro.com/security/comparing-windows-kerberos-and-ntlm-authentication-protocols
    http://www.technologyfolio.com/ntlm-kerberos-main-differences-ntlm-windows-kerberos-authentication-protocol/
    Please Note: Since the web sites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Proposed as answer by Wendy JiangModerator Tuesday, March 21, 2017 9:12 AM
    • Marked as answer by Rana.b Saturday, March 25, 2017 11:59 PM
    Wednesday, March 15, 2017 6:15 AM
    Moderator
  • Hi,

     if some cases, such as sharepoint website integrate with AD, when you put your AD credential, it will use NTLM authentication, where the sharepoint server tried to send the authentication to AD. if it is valid, then AD will respond to the SharePoint server.

    correct me if I am wrong. 

    I also suggest if you want to know more, you can observe the authentication using Network Monitor.


    Aliyani Sabrey http://netoverme.wordpress.com

    Wednesday, March 15, 2017 6:44 AM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, March 21, 2017 9:13 AM
    Moderator