Microsoft has announced its plans to expand the use of Kerberos, its preferred security protocol, and gradually phase out NTLM (NT LAN Manager), a protocol considered less secure and less extendable. Kerberos has been the main authentication protocol for various versions of Windows for more than two decades. NTLM has continued to be used in some situations, particularly because it doesn't necessitate a local network connection to a Domain Controller.
Complications with Hardwired Apps
The switch to exclusivity of the Kerberos protocol, however, presents a challenge with regards to apps and services hardwired to use NTLM. While NTLM can be disabled for authentication by businesses, doing so could lead to functional problems with these applications or services. To circumvent this problem, Microsoft has introduced two new authentication features within the Kerberos protocol.
New Authentication Features Ensuring Transition
The first of these new features is the Initial and Pass Through Authentication Using Kerberos (IAKerb). IAKerb is an extension of the Kerberos protocol that enables a client to authenticate through a server that has line-of-sight to a Domain Controller, even if the client does not have line-of-sight. This is made possible by the Negotiate authentication extension, which allows the Windows authentication stack to act as a proxy for Kerberos messages transmitted via the server on behalf of the client. IAKerb relies on the cryptographic security features of Kerberos to ensure that the messages transmitted via the server are protected against replay or relay attacks. This type of proxy is particularly useful in scenarios where the network is segmented by a firewall, or when remote access is required.
IAKerb offers a solution for clients without a line-of-sight to a Domain Controller by allowing them to authenticate through a server that does. In addition, Microsoft has introduced the local Key Distribution Center (KDC) for Kerberos, which offers support for local account authentication.
These adjustments aim to prepare for the eventual discontinuation of NTLM. “Reducing the use of NTLM will ultimately culminate in its being disabled in Windows 11,” Microsoft stated, further outlining the plan to take a data-driven approach to monitor the usage reductions of NTLM and decide when it will be appropriate to disable entirely. Following this decision, the company will initially disable NTLM by default but maintain the ability to reactivate it to manage any potential compatibility issues. Microsoft did not specify a timeline for the implementation of this progressive transition.