In an effort to enhance security and reliability, Microsoft has announced the adoption of two new authentication methods for Windows 11. These methods will reduce the current dependence on NTLM (NT LAN Manager) technologies while stepping up the reliance on the more reliable and flexible Kerberos technologies. Specifically, the two new methods are called Initial and Pass-Through Authentication Using Kerberos (IAKerb) and local Key Distribution Center (KDC).
Kerberos protocol is a way of making sure that users and services can prove who they are to each other over the internet, without sending their passwords or secrets. Kerberos protocol uses a trusted third party, called the Key Distribution Center (KDC), to help users and services exchange tickets that contain encrypted information about their identities and permissions. The tickets are valid for a limited time and can only be decrypted by the intended parties.
The protocol also uses timestamps and session keys to prevent replay attacks and eavesdropping. Kerberos protocol is based on symmetric-key cryptography, which means that both parties share the same secret key to encrypt and decrypt messages. However, Kerberos protocol can also use public-key cryptography, which means that each party has a pair of keys: one public and one private. Public keys can be shared with anyone, but private keys are kept secret. Cryptography can be used to securely exchange session keys or authenticate users without passwords.
Understanding the New Authentication Methods
The IAKerb authentication method enables clients in diverse network topologies to authenticate with Kerberos. It is a public extension to the Kerberos protocol allowing a client without line-of-sight to a Domain Controller to authenticate through a server with line-of-sight. It uses an extension of the Negotiate authentication and allows the Windows authentication stack to proxy Kerberos messages through the server on the client's behalf. It relies on the cryptographic security guarantees of Kerberos to shield the messages while in transit, thereby warding off replay or relay attacks.
Conversely, the local KDC method confers Kerberos support to local accounts. It is constructed on the base of the local machine's Security Account Manager, thus allowing remote authentication of local user accounts using Kerberos. It utilizes the IAKerb system to enable Windows to relay Kerberos messages between remote local machines without the need for extended support for other enterprise services like DNS, netlogon, or DCLocator.
The Future of NTLM and Emerging Protocols
Microsoft, in the interim, is working on enhancing the auditing and management functionality of NTLM, though the ultimate goal is to phase it out completely. Reducing the use of NTLM is with the intention to disable it eventually in Windows 11. This move is to elevate the security standard of authentication for all Windows users. Microsoft is also making strides towards shifting hard-coded instances of NTLM embedded into current Windows components to use the Negotiate protocol, enabling the use of Kerberos instead of NTLM.
The move to Negotiate will allow these services to leverage IAKerb and LocalKDC for both local and domain accounts. In the grand scheme of things, Microsoft's mission is to action a data-informed approach, scrutinizing any reduction in NTLM usage to prudently determine the right time to disable it.