TapTechNews May 23rd news, according to the Microsoft Security official blog, in order to respond to the strong demands of the security community, it is planned to deprecate NTLANManager (NTLM) in Windows 11 in the second half of 2024.
According to TapTechNews' previous news, Microsoft's official press release on October 12 last year also proposed a new round of transition plan, deprecating the NTLM authentication method and allowing more enterprises and users to transition to using Kerberos and to provide two authentication functions including IAKerb and KDC for enterprises where hardwired applications and services may have problems.
It is known that Microsoft has mainly carried out two important works to achieve this goal:
On the one hand, it is to expand the application scenarios of Kerberos. In the Windows 11 system, IAKerb and local KDC are introduced for Kerberos to realize the use of Kerberos for authentication in diverse network topology environments and local account environments, respectively.
On the other hand, the built-in NTLM hardcoded components in the existing Windows components are repaired. These components are instead using the Negotiate protocol so that Kerberos can be used instead of NTLM. By migrating to the Negotiate protocol, these component services will be able to support the use of IAKerb and LocalKDC for both local and domain accounts for verification.
TapTechNews note: NTLM is a Microsoft proprietary protocol that authenticates users and computers based on a challenge/response model, using a challenge/response model to confirm the identity of the client without sending passwords or hashed passwords on the network, and is an authentication method used by all Windows NT family products.
Kerberos is a network authentication protocol that provides authentication services for client/server applications through a key system. The realization of this authentication process does not depend on the authentication of the host operating system, does not require trust based on the host address, does not require the physical security of all hosts on the network, and is to perform authentication services through traditional cryptographic techniques (such as: shared keys).