Windows NT LAN Manager (NTLM) is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. When the client requests access to a service associated with the domain, the service sends a challenge to the client, requiring that the client perform a mathematical operation using its authentication token, and then return the result of this operation to the service. The service may validate the result or send it to the Domain Controller (DC) for validation. If the service or DC confirm that the client’s response is correct, the service allows access to the client.
NTLM is a type of single sign-on (SSO) because it allows the user to provide the underlying authentication factor only once, at login.
The NTLM protocol suite is implemented in a Security Support Provider (SSP), a Win32 API used by Microsoft Windows systems to perform a variety of security-related operations such as authentication. The NTLM protocol suite includes LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols.
NTLM is widely deployed, even on new systems, to maintain compatibility with older systems, but is no longer recommended for use by Microsoft because NTLM does not support current cryptographic methods, such as AES or SHA-256. Microsoft adopted Kerberos as the preferred authentication protocol for Windows 2000 and subsequent Active Directory domains.
Ready to learn more about our innovative passwordless solution?
Register for the Monthly Demo
