The Guide
Explain It Like I'm 5Active DirectoryAuthentication Protocols

NTLM

What's NTLM and why is it relevant?

What is NTLM?

NTLM is an authentication protocol developed by Microsoft for their operating system

It's based on a challenge and response

How Does It Work?

  1. A user wants to access a resource and provides username and password for it
  2. The computer converts the password to an NTLM hash
  3. The computer starts a negotiation request with the resource
  4. Resource responds with a challenge
  5. The computer responds with the challenge "answer"
  6. Server sends the challenge + answer to the DC
  7. DC (AD IdP) verifies the result is valid (used the correct hash, hence used the correct password)
  8. User is granted access on success

1. Challenge

  • The challenge consists of a random 16 byte number
  • The challenge answer should be the challenge itself encrypted by the NTLM hash

2. Response

Once the answer and challenge are sent to the DC, the DC verifies that the answer is correct by encrypting the challenge itself using the NTLM hash stored in it's database

Is It Secure?

  • NTLMv2 is fine security wise (at least for now - but it still can be considered insecure and the general recommendation is to always use Kerberos where possible)
  • NTLMv1 is not secure since it is using weak encryption algorithms

Does It Has A Session Lifetime Like Kereberos?

Nope, you want access? re-authenticate

What Ports Are Used With This protocol?

NTLM has no defined ports, it uses dynamic high ports and so it can cause port exhaustion if you have too many NTLM connections

You can see why it's not that recommended to use this protocol

LDAP/S

What's LDAP/S as a protocol?

Hardware

Hardware simplified

On this page

What is NTLM?How Does It Work?1. Challenge2. ResponseIs It Secure?Does It Has A Session Lifetime Like Kereberos?What Ports Are Used With This protocol?