The NTLM authentication process solely involves the client and the IIS7 server. However, a trusted third party is also privy to this authentication process under the ticket-based Kerberos protocol.
This seminal difference between the two is highlighted further by the other dissimilarities apparent in a comparative analysis.
- NTLM is a Microsoft authentication protocol that uses a challenge-response mechanism for authentication and is used in Windows environments.
- Kerberos is a network authentication protocol that uses a ticketing system widely used in Unix-based systems and cross-platform environments.
- While NTLM relies on a series of handshakes between the client and the server, Kerberos uses a trusted third-party authentication server to issue tickets for authentication.
NTLM vs Kerberos
NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user’s password. Kerberos is a computer network security protocol that authenticates service requests between two or more trusted hosts across an untrusted network, like the internet.
|Parameters of Comparison
|NTLM is a Microsoft authentication protocol used in older Windows models, not members of an Active Directory domain.
|Kerberos is a ticket-based authentication protocol used in the latest Windows models. These computers are already members of an Active Directory domain.
|Under NTLM, the authentication protocol solely involves the client and the IIS7 server.
|The Kerberos authentication protocol involves the client, server, and a trusted third-party ticket partner. The third party is an Active Directory domain controller.
|NTLM is less secure than the Kerberos protocol.
|The Kerberos authentication protocol offers enhanced protection to the users. It is significantly safer than the NTLM protocol.
|The mutual authentication feature is absent from NTLM.
|Mutual authentication feature is included in Kerberos.
|Delegation and Impersonation
|NTLM does not support delegation. The NTML protocol solely supports impersonation.
|Kerberos supports both delegation and impersonation.
|A two-factor login by the usage of smartcards is not allowed by NTLM protocols.
|A two-factor login procedure using a smartcard is allowed by the Kerberos protocol.
|NTLM is compatible with older Windows models, like Windows 95, 98, NT 4.0, etc.
|Kerberos is compatible with all the latest Windows models like Microsoft Windows 2000, XP, and others.
What is NTLM?
The NTLM protocol is a proprietary Windows authentication protocol that uses a challenge-response system to authenticate logins. The NTLM system was prevalent in the older Windows computers that were not members of an Active Directory domain.
After the initiation of the authentication process by the client, a three-way handshake between the client and the server commences. The process begins with the client sending a message specifying his or her account name and encryption capabilities.
Consequently, the server responds with a 64-bit nonce. This response is termed the challenge. The client’s response comprises this value and his or her password.
The security offered by the NTLM is inferior to those provided by the newer versions of other authentication protocols. This authentication protocol does not use a tri-party procedure.
As a result, it is deemed less secure. Moreover, this older protocol does not facilitate smartcard logons, mutual authentication, delegation, etc.
What is Kerberos?
Kerberos is a Window authentication protocol compatible with the latest models launched by the brand. It is a ticket-based protocol that is used by those Windows PCs that are already members of an Active Directory domain.
The USP of this protocol is that it can effectively reduce the total number of passwords a user needs to access the network to only one.
This secure, sophisticated, and advanced authentication protocol was designed at MIT. It has been accepted as the standard authentication protocol for all computers, from the Windows 2000 model to other more recent models.
Kerberos includes several formidable specs like mutual authentication and a smart card logon.
The security assurance of the Kerberos protocol is unmatched. It uses a third party to authenticate logins. This ensures enhanced safety and minimizes the vulnerability of confidential data. By operating through centralized data centres, Kerberos ensures further stability and security.
Main Differences Between NTLM and Kerberos
- The main difference between NTLM and Kerberos is that NTLM is a challenge-response-based Microsoft authentication protocol that is used in the older Windows models that are not members of an Active Directory domain. At the same time, Kerberos is a ticket-based authentication protocol used in the newer variants of the Windows model.
- Kerberos supports smart card logon through a two-factor authentication protocol. NTLM does not support a smart card logon.
- In terms of security, Kerberos has the edge over NTLM. NTLM is comparatively less secure than Kerberos.
- Mutual authentication feature is available with Kerberos. Contrarily, NTLM does not offer the user this mutual authentication feature.
- While Kerberos supports both delegation and impersonation, NTLM only supports impersonation.
- The authentication process under the NTLM protocol involves the client and the server. However, a reliable third party is privy to the authentication process under the Kerberos protocol.
- The earlier Windows models used the NTLM protocol. This includes versions like Windows 95, 98, NT 4.0, etc. The Kerberos protocol is preinstalled on newer models like Microsoft Windows 2000, XP, and other latest models.
Last Updated : 15 June, 2023
I’ve put so much effort writing this blog post to provide value to you. It’ll be very helpful for me, if you consider sharing it on social media or with your friends/family. SHARING IS ♥️
Sandeep Bhandari holds a Bachelor of Engineering in Computers from Thapar University (2006). He has 20 years of experience in the technology field. He has a keen interest in various technical fields, including database systems, computer networks, and programming. You can read more about him on his bio page.