1. Home
  2. >
  3. Industry
  4. >

Microsoft to Stop Developing NTLM Versions and Expand Kerberos Use

By:Emma

TapTechNews June 5th news, Microsoft updated the official support documentation on June 3rd and announced that it would stop developing all NTLM versions including LANMAN, NTLMv1 and NTLMv2, and has completely abandoned this identity authentication protocol.

Microsoft to Stop Developing NTLM Versions and Expand Kerberos Use_0

TapTechNews reported last October that Microsoft announced a new round of transition plans to abandon the NTLM identity authentication method and let more enterprises and users transition to using Kerberos.

In May of this year, Microsoft's official security blog released another blog post. In response to the strong demands of the security community, it plans to deprecate the NTLAN Manager (NTLM) in Windows 11 in the second half of 2024.

And in the latest support documentation, Microsoft clearly stated that in the next Windows annual update and the next Windows Server update, users can continue to use the NTLM protocol, but subsequent invocations of NTLM will replace Negotiate, and Negotiate will preferentially use Kerberos for identity verification, and only invoke NTLM when necessary.

It is learned that Microsoft has mainly carried out two important works to achieve this goal:

On the one hand, it is to expand the application scenarios of Kerberos. In the Windows 11 system, IAKerb and Local KDC were introduced for Kerberos to realize identity verification using Kerberos in diversified network topology environments and local account environments, respectively.

On the other hand, the built-in NTLM hardcoded components in the existing Windows components were repaired. These components were instead made to use the Negotiate protocol so that Kerberos can replace NTLM. By migrating to the Negotiate protocol, these component services will be able to support the verification of local and domain accounts using IAKerb and Local KDC.

Microsoft to Stop Developing NTLM Versions and Expand Kerberos Use_1

TapTechNews note: NTLM is a Microsoft-specific protocol that authenticates users and computers based on a challenge/response model, uses a challenge/response model to confirm the identity of the client without the need to send passwords or hashed passwords on the network, and is the authentication method used by all Windows NT series products.

Related readings:

Microsoft NTLM Kerberos authentication protocol

Likes