An anonymous reader shared this report from Neowin:
The various versions of Windows have used Kerberos as its main authentication protocol for over 20 years. However, in certain circumstances, the OS has to use another method, NTLM (NT LAN Manager). Today, Microsoft announced that it is expanding the use of Kerberos, with the plan to eventually ditch the use of NTLM altogether.
In a blog post, Microsoft stated that NTLM continues to be used by some businesses and organizations for Windows authentication because it “doesn’t require local network connection to a Domain Controller.” It also is “the only protocol supported when using local accounts” and it “works when you don’t know who the target server is.” Microsoft states:
These benefits have led to some applications and services hardcoding the use of NTLM instead of trying to use other, more modern authentication protocols like Kerberos. Kerberos provides better security guarantees and is more extensible than NTLM, which is why it is now a preferred default protocol in Windows.
The problem is that while businesses can turn off NTLM for authentication, those hardwired apps and services could experience issues. That’s why Microsoft has added two new authentication features to Kerberos.
Microsoft’s blog post calls it “the evolution of Windows authentication,” arguing that “As Windows evolves to meet the needs of our ever-changing world, the way we protect users must also evolve to address modern security challenges…” So, “our team is building new features for Windows 11.”
- Initial and Pass Through Authentication Using Kerberos, or IAKerb, “a public extension to the industry standard Kerberos protocol that allows a client without line-of-sight to a Domain Controller to authenticate through a server that does have line-of-sight.”
- A local Key Distribution Center (KDC) for Kerberos, “built on top of the local machine’s Security Account Manager so remote authentication of local user accounts can be done using Kerberos.”
- “We are also fixing hard-coded instances of NTLM built into existing Windows components… shifting these components to use the Negotiate protocol so that Kerberos can be used instead of NTLM… NTLM will continue to be available as a fallback to maintain existing compatibility.”
- “We are also introducing improved NTLM auditing and management functionality to give your organization more insight into your NTLM usage and better control for removing it.”
“Reducing the use of NTLM will ultimately culminate in it being disabled in Windows 11. We are taking a data-driven approach and monitoring reductions in NTLM usage to determine when it will be safe to disable.”
