Windows 11 to eliminate NTLM authentication in favor of Kerberos

Microsoft is updating Kerberos with two new features to begin deprecation of the NTLM authentication protocol on Windows 11.

Group Policy Kerberos settings
Group Policy Kerberos settings
  • Microsoft begins to deprecate the NTLM authentication mechanism for Kerberos.
  • The company is doing this by updating Kerberos with two new features, including IAKerb and KDC.
  • The decision has been made to improve the security of Windows 11.

As part of a continued effort to increase the security of Windows 11, Microsoft says that it’s planning to disable the New Technology LAN Manager (NTLM) authentication protocol and further implement Kerberos into the operating system.

According to the company, the Kerberos authentication protocol has been around for many years and works well, but not in every scenario, which is the reason that NTLM is still in use since it doesn’t require a connection to the local Domain Controller (DC), it works for local accounts, and doesn’t require the identity of the target server.

The problem with this current setup is that NTLM isn’t as secure as Kerberos, and many developers and organizations are hard-coding the less secure authentication method into their apps and services.

As a result of the limitations and security risks, Microsoft is working on some improvements to make Kerberos more appealing and then disable NTLM on Windows 11.

The first improvement is IAKerb, a new public extension allowing a device without line-of-sight to a DC to authenticate through a server with line-of-sight. This solution uses the Windows authentication stack to proxy the requests from Kerberos without the need for the application to require a line-of-sight to a Domain Controller. Also, IAKerb offers encryption and security in transit to prevent replay or relay attacks, making it appropriate for remote authentication.

The second improvement is the implementation of the Key Distribution Center (KDC) on top of the Secure Account Manager (SAM) to support local account authentication through Kerberos. This feature uses IAKerb to allow Windows to pass Kerberos messages between remote local computers without adding support for other enterprise services like DNS, netlogon, or DCLocator or opening a new port.

Similar to the IAKerb, KDC uses Advanced Encryption Standard (AES) encryption to improve the authentication mechanism’s security.

In addition, the company also explained that it will work on existing components in the operating system that are using a hard-coded implementation of NTLM so that they use the Negotiate protocol to leverage IAKerb and KDC for Kerberos.

The company also said that these changes will deploy automatically without the need for configuration (in most scenarios), and the protocol will continue to be supported for the foreseeable future as a fallback mechanism. The company is also updating its NTLM management controls to allow organizations to monitor and control the protocol.

About the author

Mauro Huculak is a Windows expert and the Editor-in-Chief who started Pureinfotech in 2010 as an independent online publication. He is also been a Windows Central contributor for nearly a decade. Mauro has over 12 years of experience writing comprehensive guides and creating professional videos about Windows, software, and related technologies, including Android and Linux. Before becoming a technology writer, he was an IT administrator for seven years. In total, Mauro has over 20 years of combined experience in technology. Throughout his career, he achieved different professional certifications from Microsoft (MSCA), Cisco (CCNP), VMware (VCP), and CompTIA (A+ and Network+), and he has been recognized as a Microsoft MVP for many years. You can follow him on X (Twitter), YouTube, LinkedIn and About.me.