Carding 4 Carders
Professional
- Messages
- 2,728
- Reaction score
- 1,574
- Points
- 113
20 years of loyalty and here's the solution: Microsoft says "bye" to NTLM.
Microsoft has announced its intention to phase out NTLM authentication in Windows 11 in favor of Kerberos, introducing new fallback mechanisms.
Security is a priority for Microsoft, given that the Windows operating system is used by more than a billion users. More than a year ago, the company announced its intention to drop Server Message Block version 1 (SMB1) in Windows 11 Home. Now it has become known about plans to replace NT LAN Manager (NTLM) authentication with Kerberos.
In a detailed post, Microsoft points out that Kerberos has been the main authentication protocol in Windows for more than 20 years. However, in some cases, it does not cope with its tasks, which requires the use of NTLM. To address these issues, the company is developing new backup mechanisms in Windows 11, such as Initial and Pass Through Authentication Using Kerberos (IAKerb) and Local Key Distribution Center (KDC) for Kerberos.
NTLM is still popular because of a number of advantages, such as no need for a local network connection to the Domain Controller (DC). However, given certain limitations of Kerberos, many organizations cannot simply disable the legacy protocol.
To bypass the limitations of Kerberos and promote it as a more attractive option for developers and organizations, Microsoft is developing new features in Windows 11.
The first improvement is IAKerb, a public extension that allows authentication with a DC through a server that has access to the appropriate infrastructure. The second is a local KDC for Kerberos, which supports local accounts.
In the next steps of moving away from NTLM, Microsoft will also modify existing Windows components that are hardwired to use NTLM. Instead, they will use the Negotiate protocol.
The ultimate goal is to completely disable NTLM by default in Windows 11, if telemetry data allows it. For now, Microsoft recommends that organizations monitor their NTLM usage and monitor further updates on this topic.
Microsoft has announced its intention to phase out NTLM authentication in Windows 11 in favor of Kerberos, introducing new fallback mechanisms.
Security is a priority for Microsoft, given that the Windows operating system is used by more than a billion users. More than a year ago, the company announced its intention to drop Server Message Block version 1 (SMB1) in Windows 11 Home. Now it has become known about plans to replace NT LAN Manager (NTLM) authentication with Kerberos.
In a detailed post, Microsoft points out that Kerberos has been the main authentication protocol in Windows for more than 20 years. However, in some cases, it does not cope with its tasks, which requires the use of NTLM. To address these issues, the company is developing new backup mechanisms in Windows 11, such as Initial and Pass Through Authentication Using Kerberos (IAKerb) and Local Key Distribution Center (KDC) for Kerberos.
NTLM is still popular because of a number of advantages, such as no need for a local network connection to the Domain Controller (DC). However, given certain limitations of Kerberos, many organizations cannot simply disable the legacy protocol.
To bypass the limitations of Kerberos and promote it as a more attractive option for developers and organizations, Microsoft is developing new features in Windows 11.
The first improvement is IAKerb, a public extension that allows authentication with a DC through a server that has access to the appropriate infrastructure. The second is a local KDC for Kerberos, which supports local accounts.
In the next steps of moving away from NTLM, Microsoft will also modify existing Windows components that are hardwired to use NTLM. Instead, they will use the Negotiate protocol.
The ultimate goal is to completely disable NTLM by default in Windows 11, if telemetry data allows it. For now, Microsoft recommends that organizations monitor their NTLM usage and monitor further updates on this topic.
