Phasing Out NTLM: Windows 11’s Commitment to Kerberos

Windows 11 Kerberos

Microsoft has announced its phased intent to move away from NTLM authentication in Windows 11 in favor of Kerberos, integrating new fallback mechanisms.

Security remains paramount for Microsoft, especially given that the Windows operating system is utilized by over a billion users. Over a year ago, the company disclosed plans to phase out Server Message Block version 1 (SMB1) in Windows 11 Home. It has now come to light that there are plans to replace NT LAN Manager (NTLM) authentication with Kerberos.

As Windows evolves to meet the needs of our ever-changing world, the way we protect users must also evolve to address modern security challenges. A foundational pillar of Windows security is user authentication. We are working on strengthening user authentication by expanding the reliability and flexibility of Kerberos and reducing dependencies on NT LAN Manager (NTLM),” Matthew Palko wrote.

In an intricate post, Microsoft emphasized that Kerberos has been the principal authentication protocol in Windows for over two decades. However, there are instances where it may not meet its responsibilities, necessitating the use of NTLM. To address these challenges, the company is devising new fallback mechanisms in Windows 11, such as Initial and Pass Through Authentication Using Kerberos (IAKerb) and a local Key Distribution Center (KDC) for Kerberos.

While NTLM remains prevalent due to various benefits, such as eliminating the need for a local network connection with the Domain Controller (DC), there are inherent limitations with Kerberos, preventing many organizations from simply deactivating the outdated protocol.

To circumvent Kerberos’s limitations and promote it as a more appealing choice for developers and organizations, Microsoft is pioneering new features in Windows 11.

The first enhancement is IAKerb, a public extension enabling authentication with DC through a server connected to the relevant infrastructure. The second is the local KDC for Kerberos, supporting local account entries.

In the subsequent phases of phasing out NTLM, Microsoft will also modify existing Windows components rigidly tied to NTLM utilization. Instead, they will employ the Negotiate protocol.

The ultimate goal is to completely deactivate NTLM by default in Windows 11, provided telemetry data supports such an action. Currently, Microsoft advises organizations to monitor NTLM usage and keep abreast of further updates on this subject.