AI Infrastructure Architect & Enterprise Solution Architect

Windows New Technology LAN Manager (NTLM) and Kerberos is a suite of security protocols offered by Microsoft to authenticate users identity and protect the integrity and confidentiality of their activity.

NTLM is still supported by Microsoft, it has been replaced by Kerberos as the default authentication protocol in Windows 2000 and subsequent Active Directory (AD) domains.

How Does the NTLM Protocol Work

NTLM authenticates users through a challenge-response mechanism.

This process consists of three messages:

1. Negotiation message from the client
2. Challenge message from the server
3. Authentication message from the client

NTLM Authentication Process:

1. User shares their credential (username, password and domain name) with the client
2. Client develops a scrambled version of the password — or hash. It removed the password.
3. Client passes a plain text version of the username to the relevant server or network
4. Server replies to the client with a challenge, which is a 16-byte random number
5. In response, the client sends the challenge encrypted by the hash of the user’s password
6. Server then sends the challenge, response and username to the domain controller – DC
7. DC retrieves the user’s password from the database and uses it to encrypt the challenge
8. DC then compares the encrypted challenge and client response. If these two pieces match, then the user is authenticated and access is granted.

How Does the Kerberos Protocol Work

Kerberos is a ticket based authentication system which is used for the authentication of users information while logging into the system. Kerberos is based on symmetric key cryptography and depends on a reliable third party and works on the private key encryption during phases of authentication.

The three security components in the Kerberos protocol:

1. A client seeking authentication
2. A server the client wants to access
3. The ticketing service or key distribution center (KDC)

Kerberos Authentication Process:

1. User shares their credential (username, password, and domain name) with the client
2. Client assembles a package — or an authenticator — which contains all relevant information about the client, including the user name, date and time. All information contained in the authenticator, aside from the user name, is encrypted with the user’s password
3. Client sends the encrypted authenticator to the KDC (Key Distribution Center)
4. The KDC checks the user name to establish the identity of the client. The KDC then checks the AD database for the user’s password. It then attempts to decrypt the authenticator with the password. If the KDC is able to decrypt the authenticator, the identity of the client is verified
5. Once the identity of the client is verified, the KDC creates a ticket or session key, which is also encrypted and sent to the client
6. The ticket or session key is stored in the client’s Kerberos tray; the ticket can be used to access the server for a set time period, which is typically 8 hours
7. If the client needs to access another server, it sends the original ticket to the KDC along with a request to access the new resource
8. The KDC decrypts the ticket with its key. (The client does not need to authenticate the user because the KDC can use the ticket to verify that the user’s identity has been confirmed previously)
9. The KDC generates an updated ticket or session key for the client to access the new shared resource. This ticket is also encrypted by the server’s key. The KDC then sends this ticket to the client
10. Client saves this new session key in its Kerberos tray, and sends a copy to the server
11. The server uses its own password to decrypt the ticket
12. If the server successfully decrypts the session key, then the ticket is legitimate. The server will then open the ticket and review the access control list (ACL) to determine if the client has the necessary permission to access the resource.

Reference: NTLM EXPLAINED

Happy Coding!!