<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview[1]
[{$pagename}] ([NTLM]) (not to be confused with [LAN Manager]) is a [Microsoft] [authentication protocol|Authentication Method] used with the [SMB] protocol. 

[{$pagename}] was followed by [NTLMv2], at which time the original was renamed to [NTLMv1].

%%warning
The security of [NTLMv1], [NTLMv2] and [MD4] and therefore all versions of [{$pagename}] has been __severely__ compromised and is considered [Cryptographically Weak] and lacks [Collision Resistance].
%%

NT LAN Manager [Authentication Protocol] is defined in [MS-NLMP|https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/a4f28e01-3df1-4fd1-80b2-df1fbc183f21].

The NT LAN Manager (NTLM) [Authentication Protocol] is used for [authentication] between clients and servers. These extensions provide additional capability for authorization information including group memberships, interactive logon information, and message [integrity], as well as constrained [delegation] and encryption supported by Kerberos principals.

[Kerberos] [authentication] ([MS-KILE|https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9]) replaces [{$pagename}] as the [preferred authentication protocol|https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/a211d894-21bc-4b8b-86ba-b83d0c167b00#Appendix_A_1] However, NTLM can be used when the Kerberos Protocol Extensions (KILE) do not work, such as in the following scenarios.

* One of the machines is not [Kerberos]-capable.
* The server is not joined to a [domain|AD DOMAIN].
* The KILE configuration is not set up correctly.
* The implementation chooses to directly use NLMP.

[MS-CHAP] is similar and is used for [authentication] with Microsoft remote access protocols. During [protocol] negotiation, the internal name is [NTLM] 0.12. The version number 0.12 has not been explained. It is the successor of LANMAN (Microsoft LAN Manager), an older Microsoft authentication protocol, and attempted to be backwards compatible with LANMAN. 

Before official documentation of the [protocol] was available, it was analyzed by the [Samba] team through network analysis. The [cryptographic] calculations are identical to that of [MS-CHAP] and are documented in [RFC 2433] for v1 and [RFC 2759] for v2. Both [MS-CHAP] v1 and v2 have been analyzed; [Bruce Schneier], Peiter Mudge Zatko and David Wagner, among other researchers, found weaknesses in both [protocols].[1] Still both [protocols] remain in widespread use.


!! [NTLM] and modern Windows versions
Microsoft adopted [Kerberos] as the preferred [authentication] [protocol] for [Windows Server 2000] and [Windows Server 2003] [Microsoft Active Directory] domains. [Kerberos] is typically used when a client belongs to a [AD DOMAIN], or if a trust relationship with a [AD DOMAIN] is established in some other way (such as [Linux] to Windows AD authentication).

! [NTLM] is still used in the following situations:
* The client is authenticating to a server using an [IP Address].
* The client is authenticating to a server that belongs to a different [AD Forest], or doesn't belong to a [AD DOMAIN].
* No Active Directory domain exists (commonly referred to as &quot;workgroup&quot; or &quot;peer-to-peer&quot;).
* Where a [firewall] would otherwise restrict the ports required by [Kerberos] (of which there are quite a few)

Starting with [Windows Vista], and also with [Windows Server 2008], both Lan Manager and [{$pagename}] are deprecated by default. 

[{$pagename}] is still supported for inbound authentication, but for outbound [authentication] a newer version of [{$pagename}], called [NTLMv2], is sent by default instead. Prior versions of Windows (back as far as Windows NT 4.0 Service Pack 4) could be configured to behave this way, but it was not the default. 

Technically speaking, the computer will accept LM for inbound authentication but by default neither Windows Vista nor Windows Server 2008 store the LM hash. Therefore, there is no way for them to authenticate an inbound LM response - typical error message is System error 86 has occurred. The specified network password is not correct. 

You can control the authentication behavior, starting with Windows NT 4.0 Service Pack 4,using the LMCompatibilityLevel registry setting, shown in Group Policy as Network Security:LAN Manager Authentication Level. The default value for LMCompatibilityLevel in Windows Vista and Windows Server 2008 is 3,or Send NTLMv2 Response Only.

!! [NT LAN Manager Vulnerabilities]
[NT LAN Manager Vulnerabilities] shows some of the Vulnerabilities with using [NT LAN Manager] ([NTLM])


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [NT LAN Manager|Wikipedia:NT_LAN_Manager|target='_blank'] - based on information obtained 2013-05-17
* [#2] - [MS-NLMP|https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/a4f28e01-3df1-4fd1-80b2-df1fbc183f21|target='_blank'] - based on information obtained 2021-08-16
</pre>