!!! Overview[1] [{$pagename}] (and [password-hash]) is not all about [Microsoft Active Directory]. When a user logs on, the [password] the user types is converted into [password-hash] and held in [Random Access Memory] ([RAM]) by the [Local Security Authority Subsystem Service] ([LSASS]) process. If the user using a local account for [authentication], the [Hash Functions] is compared against the locally stored [NTLMv2] [Hash], and if the two match, the user [Authenticated]. If the user is authenticating against an [Microsoft Active Directory] [AD DOMAIN] by using a hostname to access a [resource], the [NTLMv2] [Hash] is used in a [Kerberos] logon against the [Key Distribution Center] ([KDC]), which is typically a [Domain Controller]. The password verifier is computed by [Netlogon service], not [LSASS]. [Kerberos] cannot be used in the following situations: * [authentication] against a [AD DOMAIN] running only [Windows NT] 4.0 or earlier * Accessing a [resource] on an non-[Domain Controller] by using an [IP Address] rather than a [hostname] * Accessing a [resource] on a computer that is not a member of an [AD DOMAIN] * Accessing any [resource] on a computer running that does not support [Kerberos] In these situations, the [authentication] process uses different protocols that are determined by the [LAN Manager authentication level] [Group Policy Object] setting. !! More Information There might be more information for this subject on one of the following: [{ReferringPagesPlugin before='*' after='\n' }] ---- * [#1] - [Passwords Technical Overview|https://technet.microsoft.com/en-us/library/hh994558%28v=ws.10%29.aspx|target='_blank'] - based on information obtained 2017-06-21-