When a user logs on, the password the user types is converted into password-hash and held in Random Access Memory (RAM) by the Local Security Authority Subsystem Service (LSASS) process. If the user using a local account for authentication, the Hash Functions is compared against the locally stored NTLMv2 Hash, and if the two match, the user Authenticated.
If the user is authenticating against an Microsoft Active Directory AD DOMAIN by using a hostname to access a resource, the NTLMv2 Hash is used in a Kerberos logon against the Key Distribution Center (KDC), which is typically a Domain Controller. The password verifier is computed by Netlogon service, not LSASS.
Kerberos cannot be used in the following situations:
- authentication against a AD DOMAIN running only Windows NT 4.0 or earlier
- Accessing a resource on an non-Domain Controller by using an IP Address rather than a hostname
- Accessing a resource on a computer that is not a member of an AD DOMAIN
- Accessing any resource on a computer running that does not support Kerberos