Microsoft plans to phase out NTLM in Windows 11 in the second half of 2024 and fully shift to Kerberos authentication-It Industry-php.cn

Microsoft plans to phase out NTLM in Windows 11 in the second half of 2024 and fully shift to Kerberos authentication

PHPz

Release： 2024-06-09 16:17:31

Original

946 people have browsed it

微软计划2024年下半年在Windows 11中淘汰NTLM，全面转向Kerberos认证

In the second half of 2024, the official Microsoft Security Blog published a message in response to the call from the security community. The company plans to phase out the NT LAN Manager (NTLM) authentication protocol in Windows 11, released in the second half of 2024, to improve security.

According to previous explanations, Microsoft has already taken similar actions before. On October 12 last year, Microsoft proposed a transition plan in an official press release aimed at phasing out NTLM authentication methods and pushing more enterprises and users to switch to Kerberos. To help enterprises that may encounter problems with hardwired applications and services after turning off NTLM authentication, Microsoft provides two authentication functions: IAKerb and KDC (Key Distribution Center).

In order to achieve a smooth transition from NTLM to Kerberos, Microsoft has carried out two important tasks. Microsoft has expanded the application scope of Kerberos, and in Windows 11 system, Microsoft has added IAKerb and local KDC functions to Kerberos, which enables Kerberos to perform authentication in diverse network environments and local account environments.

The NTLM hardcoded part has been fine-tuned in the Windows component. These parts are currently in the process of switching to the Negotiate protocol in order to be able to use Kerberos as a replacement for NTLM. By migrating to the Negotiate protocol, these components will be able to support local and domain account authentication via IAKerb and LocalKDC.

NTLM is a Microsoft-specific protocol that uses a challenge/response model to authenticate users and computers and provide authentication services. In contrast, Kerberos is a network authentication protocol that provides authentication services for client/server applications through a key system. It does not rely on the authentication of the host operating system and is more secure and reliable. This move by Microsoft will undoubtedly further enhance the security of Windows systems.

The above is the detailed content of Microsoft plans to phase out NTLM in Windows 11 in the second half of 2024 and fully shift to Kerberos authentication. For more information, please follow other related articles on the PHP Chinese website!