In Active Directory (AD), two authentication protocols can be used, which are Kerberos and NTLM. At present, Kerberos is the default authentication protocol in Windows. NTLM is an authentication protocol and was the default protocol used in older versions of windows.
Note: The NTLM protocol is still used today and supported in Windows Server.
- NT LAN Manager (NTLM): This is a challenge-response authentication protocol that was used before Kerberos became available. However, an organization may still have servers that use NTLM.
- Kerberos: Kerberos is an authentication protocol. It’s the default authentication protocol on Windows versions since Windows 2000 replacing the NTLM authentication protocol. This protocol works on the basis of tickets and requires the presence of a trusted party. See this link for more information https://web.mit.edu/kerberos/
Before digging dip into the authentication process of both NTLM and Kerberos, the table below gives a comparison for both protocols.
Kerberos was developed at the Massachusetts Institute of Technology and currently the most most widely used technology for Authentication and Authorization in computer networks. The below diagram is how the Kerberos authentication flow work.
The three heads of Kerberos are represented in the protocol by a client seeking authentication, a server the client wants to access, and the key distribution center (KDC).
The KDC is the trusted third party that authenticates users and is the domain controller that AD is running on. Here are the step involved in Kerberos authentication:
1: A user login to the client machine. The client does a plaintext request (TGT). The message contains: (ID of the user; ID of the requested service (TGT); The Client Net address (IP); validation lifetime)
2: The Authentication Server will check if the user exists in the KDC database. If the user is found, it will randomly generate a key (session key) for use between the user and the Ticket Granting Server (TGS).
The Authentication Server will then send two messages back to the client:
- One is encrypted with the TGS secret key.
- One is encrypted with the Client secret key.
Note: The TGS Session Key is the shared key between the client and the TGS. The Client secret key is the hash of the user credentials (username+password).
3: The client decrypts the key and can logon, caching it locally. It also stores the encrypted TGT in his cache.
When accessing a network resource, the client sends a request to the TGS with the resource name he wants to access, the user ID/timestamp and the cached TGT.
4 - The TGS decrypts the user information and provides a service ticket and a service session key for accessing the service and sends it back to the Client once encrypted.
5: The client sends the request to the server (encrypted with the service ticket and the session-key).
6: The server decrypts the request and if it is genuine, it provides service access.
Here’s a step-by-step description of how NTLM authentication work
Due to recent vulnerability discovered in ZOOM, please take a look in how to mitigate the issue. Here are the steps used in preventing windows from automatically sending your credentials to a remote server (when accessing a share). https://techdirectarchive.com/2020/04/01/how-to-prevent-ntlm-credentials-from-being-sent-to-remote-servers/
1: A user accesses a client computer and provides a domain name, user name, and password. The client computes a cryptographic hash of the password and discards the actual password. The client sends the user name to the server (in plaintext).
2: The server generates a 16-byte random number, called a challenge, and sends it back to the client.
3: The client encrypts this challenge with the hash of the user's password and returns the result to the server. This is called the response.
4: The server sends the following three items to the domain controller:
- User Name
- Challenge sent to the client
- Response received from the client
5: The domain controller uses the user name to retrieve the hash of the user's password. It compares the encrypted challenge with the response by the client (in step 4). If they are identical, authentication is successful, and the domain controller notifies the server.
6: The server then sends the appropriated response back to the client.
For other reference links which I considered when reviewing Kerberos and NTLM authentication process, see the below links