News

Microsoft wants to eventually remove the NTLM authentication protocol from Windows 11

By admin
Spread the love

Microsoft wants to remove NTLM from Windows 11. The operating system must then completely switch to Kerberos as the authentication protocol, with new fallback methods in case Kerberos does not work properly. Kerberos will be added so that it will also work locally in the future.

Microsoft writes in a blog post that it wants to get rid of NT Lan Manager, or NTLM, in the long term. There is currently no concrete plan for this, Microsoft says. The company initially plans to add more NTLM management options that will allow system administrators to monitor how often NTLM is used. For example, the logs become more detailed and administrators are given the option to roll out NTLM more specifically per user or set up certain exception rules.

Not only administrators, but also Microsoft wants to gain more such insights. The company says it is taking a “data-driven approach” to determine “when it is safe to disable NTLM use.” In the future, the protocol must be disabled by default, but according to Microsoft there remains an option to re-enable it. Microsoft recommends that administrators and developers identify where they still use NTLM. The company says that this may also be hardcoded in applications and that developers should also pay attention to that. Microsoft will also do this for Windows 11; those components are replaced by a dynamic component that primarily uses Kerberos.

NT Lan Manager is an authentication protocol in Windows, but it has not been used as a standard for years. Kerberos has had that role since 2000, but NTLM has several advantages that Kerberos does not. The main one is that NTLM is the only supported protocol for local accounts, but NTLM also does not require a local connection to a domain controller. In cases where such connections are the only options, Windows still automatically falls back to NTLM.

Microsoft says there will be alternatives to those processes in Windows 11. One of them is IAKerb, which stands for Initial and Pass Through Authentication Using Kerberos. This means that a client without a connection to a domain controller can still set up such a connection by conducting the handshake via Windows. There will also be a local Key Distribution Center for Kerberos with which remote authentication can take place.

You might also like
News

Android 14 beta brings support for a desktop mode

News

Good news for TSMC: its 3nm node will take flight in 2024 thanks to the push of these…

News

The most boring technology of the 21st century: Intel has only grown 5% since 2000

News

Google Password Manager can start sharing passwords with partners or children

News

PlayStation 5 beta update improves audio from DualSense controller

News

Rumor: Android 15 puts apps in ‘edge-to-edge’ mode by default