Difference Between NTLM and Kerberos (With Table)

The NTLM authentication process solely involves the client and the IIS7 server. However, under the ticket-based Kerberos protocol, a trusted third party is also privy to this process of authentication. This seminal difference between the two is highlighted further by the other dissimilarities apparent in a comparative analysis.

NTLM vs Kerberos

The difference between NTLM and Kerberos is that the former is a challenge-response based authentication protocol, while the latter is a ticket-based authentication protocol. NTLM refers to an authentication protocol that is used by the older Windows models that are not members of an Active Directory domain, while Kerberos is essentially a ticket-based authentication protocol used in the newer Windows models that are members of an Active Directory domain.

Comparison Table Between NTLM and Kerberos

Parameters of ComparisonNTLMKerberos
DefinitionNTLM is a Microsoft authentication protocol that is used in the older Windows models that are not members of an Active Directory domain.Kerberos is a ticket-based authentication protocol used in the latest Windows models. These computers are already members of an Active Directory domain.
Authentication ProcessUnder NTLM, the authentication protocol solely involves the client and the IIS7 server.The Kerberos authentication protocol involves the client, server as well as a trusted third party ticket partner. The third party is usually an Active Directory domain controller.
SecurityNTLM is less secured than the Kerberos protocol.The Kerberos authentication protocol offers enhanced protection to the users. It is significantly safer than the NTLM protocol.
Mutual AuthenticationMutual authentication feature is absent from NTLM.Mutual authentication feature is included in Kerberos.
Delegation and ImpersonationDelegation is not supported by NTLM. The NTML protocol solely supports impersonation.Both delegation and impersonation are supported by Kerberos.
Smartcard LogonA two-factor login by the usage of smartcards is not allowed by NTLM protocols.A two-factor login procedure by using a smartcard is allowed by the Kerberos protocol.
CompatibilityNTLM is compatible with the older Windows models, like  Windows 95, Windows 98, NT 4.0, etc.Kerberos is compatible with all the latest Windows models like Microsoft Windows 2000, XP, and others.

What is NTLM?

The NTLM protocol is a proprietary Windows authentication protocol that uses a challenge-response system to authenticate logins. The NTLM system was prevalent in the older Windows computers that are not members of an Active Directory domain.

After the initiation of the authentication process by the client, a three-way handshake between the client and the server commences. The process begins with the client sending a message specifying his or her account name and encryption capabilities. Consequently, the server responds with a 64-bit nonce. This response is termed as the challenge. The client’s response is composed of this value and his or her own password.

The security offered by the NTLM is inferior to those provided by the newer versions of other authentication protocols. This authentication protocol does not use a tri-party procedure. As a result, it is deemed less secure. Moreover, smartcard logons, mutual authentication, delegation, etc. are not facilitated by this older protocol.

What is Kerberos?

Kerberos is a Window authentication protocol that is compatible with the latest models launched by the brand. It is a ticket-based protocol that is used by those Windows PCs that are already members of an Active Directory domain. The USP of this protocol is that it can effectively reduce the total number of passwords needed by a user to access the network to only one.

This secure, sophisticated, and advanced authentication protocol was designed at MIT. It has been accepted as the standard authentication protocol for all computers- right from the Windows 2000 model to other more recent models. Kerberos also includes several formidable specs like mutual authentication and a smart card logon.

The security assurance of the Kerberos protocol is unmatched. It uses a third party to authenticate logins. This ensures enhanced safety and minimizes the vulnerability of confidential data. By operating through centralized data centers, Kerberos ensures further stability and security.

Main Differences Between NTLM and Kerberos

  1. The main difference between NTLM and Kerberos is that NTLM is a challenge-response based Microsoft authentication protocol that is used in the older Windows models that are not members of an Active Directory domain, while Kerberos is a ticket-based authentication protocol used in the newer variants of the Windows model.
  2. Smart card logon through a two factor authentication protocol is supported by Kerberos. NTLM does not support a smart card logon.
  3. In terms of security, Kerberos has an edge over NTLM. NTLM is comparatively less secured than Kerberos.
  4. Mutual authentication feature is available with Kerberos. Contrarily, NTLM does not offer the user this mutual authentication feature.
  5. While Kerberos supports both delegation and impersonation, NTLM only supports impersonation.
  6. The authentication process under the NTLM protocol involves the client and the server. However, under the Kerberos protocol, a reliable third party is privy to the authentication process.
  7. The earlier Windows models use the NTLM protocol. This includes versions like Windows 95, Windows 98, NT 4.0, etc. The Kerberos protocol is preinstalled on the newer models like Microsoft Windows 2000, XP, and other latest models.

Conclusion

Both the NTLM and Kerberos protocols are based on the symmetric key cryptography strategy and both are strong, pertinent authentication systems. The two may seem overwhelmingly similar to novice users, however, the difference between the two is quite conspicuous.

NTLM is a challenge-response-based authentication protocol, while Kerberos is a ticket-based authentication protocol. The former is used mostly in the older Windows models. Although Windows has maintained backward compatibility with this protocol, its usage has significantly reduced over the years.

This change is largely attributed to the development of the more secured and sophisticated protocols like Kerberos. Kerberos offers enhanced features as well as an improved protective shield for the user.

Thus, in a comparative choice between the two, the newer Kerberos protocol emerges univocally successful. It embodies some of the most coveted modern features that one can desire in an advanced authentication protocol.

References

  1. http://www.hjp.at/(en)/doc/rfc/rfc4559.html
x
2D vs 3D