5  Kerberos NTLM authentication

Kerberos NTLM authentication

by | 20. November 2023 | IT-Glossary-EN

The basic prerequisite for secure data transmission in a network is that the sender and recipient identify themselves clearly. Otherwise it would be possible for the information to fall into the wrong hands. Two systems are primarily used for reliable authentication in the LAN and WAN area: NTLM and Kerberos.

NTLM: a proven authentication method

The abbreviation NTLM stands for NT LAN Manager. It refers to the Windows NT operating system. This already shows two characteristics of NTLM: Firstly, it is a system developed by the software manufacturer Microsoft. Secondly, this authentication process is already getting on in years – after all, the first NT version was launched back in 1993. Initially, this was a proprietary system from Microsoft. However, programs from other manufacturers also offered support for it – for example the Mozilla Firefox and Opera browsers and the Apache web server. Since Microsoft published the specifications in 2007, any provider can use this system.

High security with Kerberos authentication

The Kerberos system has the same function as NTLM. Back in the 1980s, computer scientists at the renowned Massachusetts Institute of Technology developed the first version of this authentication method. Over the years, it became clear that the Kerberos approach provides higher security. This system has therefore been further developed time and again. The latest version fulfills the requirements for authentication in a modern network perfectly. The advantages of this authentication procedure led to Microsoft also adopting this system. Since the introduction of Windows 2000, the directory service Active Directory has used Kerberos as the preferred authentication method.

Comparison of NTLM and Kerberos – which is better?

NTLM uses a so-called hash value for the authentication of a user. This is a complicated code, but in the end it is nothing more than a password. If an attacker penetrates the network, they can intercept the hash value and use it to authenticate themselves. Kerberos, on the other hand, works with a third instance: the Kerberos server. The Kerberos server authenticates both the server and the client. It then transmits temporary tickets, which ensure secure communication. As these are only valid for a certain period of time, this method significantly increases security.

Kerberos or NTLM – in which cases is which protocol used?

Kerberos is the standard authentication method for Active Directory and many other systems. If both the server and the client support Kerberos, this method is used. NTLM is only used if one of the parties does not offer support.

NMS supports you in designing secure networks

New Media Service GmbH (NMS) supports you in the secure design of your networks. If you have any questions on this topic, we will be happy to advise you. We also take care of implementing the authentication process. As an official Microsoft partner, our employees have extensive experience in dealing with Active Directory and ensure perfect interaction between NTLM and Kerberos during the login process.

If you would like to find out more, you can simply contact us for a free, no-obligation consultation. We will be happy to provide you with information on this topic and, if required, take care of the implementation and realization for you.