When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft wants to eventually disable NTLM authentication in Windows 11

Neowin · · Hot! with 0 comments

A Windows 11 logo

The various versions of Windows have used Kerberos as its main authentication protocol for over 20 years. However, in certain circumstances, the OS has to use another method, NTLM (NT LAN Manager). Today, Microsoft announced that it is expanding the use of Kerberos, with the plan to eventually ditch the use of NTLM altogether.

In a blog post, Microsoft stated that NTLM continues to be used by some businesses and organizations for Windows authentication because it "doesn’t require local network connection to a Domain Controller." It also is "the only protocol supported when using local accounts" and it "works when you don’t know who the target server is"

Microsoft states:

These benefits have led to some applications and services hardcoding the use of NTLM instead of trying to use other, more modern authentication protocols like Kerberos. Kerberos provides better security guarantees and is more extensible than NTLM, which is why it is now a preferred default protocol in Windows.

The problem is that while businesses can turn off NTLM for authentication, those hardwired apps and services could experience issues. That's why Microsoft has added two new authentication features to Kerberos.

One is Initial and Pass Through Authentication Using Kerberos (IAKerb), which will allow "a client without line-of-sight to a Domain Controller to authenticate through a server that does have line-of-sight." The other is the local Key Distribution Center (KDC) for Kerberos which adds authentication support for local accounts.

These changes are being made so that in the long-term Kerberos will be the only Windows authentication protocol. Microsoft stated:

Reducing the use of NTLM will ultimately culminate in it being disabled in Windows 11. We are taking a data-driven approach and monitoring reductions in NTLM usage to determine when it will be safe to disable.

Once the decision has been made, Microsoft will first disable NTLM by default, but businesses will be able to reenable it just in case they encounter compatibility issues. Microsoft has not announced a specific timetable for when all of this will happen.

Report a problem with article
Assassins Creed Mirage screenshot
Next Article

AMD 23.10.1 driver brings AC Mirage and Lords of the Fallen support, plus stutter fixes

Threads gets new features
Previous Article

Threads will not "amplify" news on the platform to maintain positivity

Join the conversation!

Login or Sign Up to read and post a comment.

0 Comments - Add comment