The NT LAN Manager (NTLM) Authentication Protocol is used for authentication between clients and servers. These extensions provide additional capability for authorization information including group memberships, interactive logon information, and message integrity, as well as constrained delegation and encryption supported by Kerberos principals.
Kerberos authentication (MS-KILE) replaces NT LAN Manager as the preferred authentication protocol However, NTLM can be used when the Kerberos Protocol Extensions (KILE) do not work, such as in the following scenarios.
- One of the machines is not Kerberos-capable.
- The server is not joined to a domain.
- The KILE configuration is not set up correctly.
- The implementation chooses to directly use NLMP.
MS-CHAP is similar and is used for authentication with Microsoft remote access protocols. During protocol negotiation, the internal name is NTLM 0.12. The version number 0.12 has not been explained. It is the successor of LANMAN (Microsoft LAN Manager), an older Microsoft authentication protocol, and attempted to be backwards compatible with LANMAN.
Before official documentation of the protocol was available, it was analyzed by the Samba team through network analysis. The cryptographic calculations are identical to that of MS-CHAP and are documented in RFC 2433 for v1 and RFC 2759 for v2. Both MS-CHAP v1 and v2 have been analyzed; Bruce Schneier, Peiter Mudge Zatko and David Wagner, among other researchers, found weaknesses in both protocols. Still both protocols remain in widespread use.Kerberos as the preferred authentication protocol for Windows Server 2000 and Windows Server 2003 Microsoft Active Directory domains. Kerberos is typically used when a client belongs to a AD DOMAIN, or if a trust relationship with a AD DOMAIN is established in some other way (such as Linux to Windows AD authentication).
- The client is authenticating to a server using an IP Address.
- The client is authenticating to a server that belongs to a different AD Forest, or doesn't belong to a AD DOMAIN.
- No Active Directory domain exists (commonly referred to as "workgroup" or "peer-to-peer").
- Where a firewall would otherwise restrict the ports required by Kerberos (of which there are quite a few)
NT LAN Manager is still supported for inbound authentication, but for outbound authentication a newer version of NT LAN Manager, called NTLMv2, is sent by default instead. Prior versions of Windows (back as far as Windows NT 4.0 Service Pack 4) could be configured to behave this way, but it was not the default.
Technically speaking, the computer will accept LM for inbound authentication but by default neither Windows Vista nor Windows Server 2008 store the LM hash. Therefore, there is no way for them to authenticate an inbound LM response - typical error message is System error 86 has occurred. The specified network password is not correct.
You can control the authentication behavior, starting with Windows NT 4.0 Service Pack 4,using the LMCompatibilityLevel registry setting, shown in Group Policy as Network Security:LAN Manager Authentication Level. The default value for LMCompatibilityLevel in Windows Vista and Windows Server 2008 is 3,or Send NTLMv2 Response Only.NT LAN Manager Vulnerabilities shows some of the Vulnerabilities with using NT LAN Manager (NTLM)
More Information#There might be more information for this subject on one of the following:
- Channel Binding
- LAN Manager
- LAN Manager authentication level
- NT LAN Manager
- NT LAN Manager Vulnerabilities
- NTLM SSP