EXPLAINER | IDENTITY SECURITY
Updated 8 min read

Kerberos vs NTLM: The Practical Difference Every Windows Admin Should Know

1993
Year Kerberos v5 was standardized: still the current version and default Windows domain authentication protocol
10 hours
Default Kerberos TGT lifetime: the window before an attacker must renew a stolen ticket
0
Credentials transmitted over the network in a Kerberos authentication: the protocol is designed to prove identity without sending secrets
3
NTLM attack techniques actively exploited in 2025: pass-the-hash, NTLM relay, and NTLMv2 hash capture for offline cracking

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

When a Windows machine authenticates to a domain resource, it uses either Kerberos or NTLM. Most administrators know that 'Kerberos is better and NTLM is bad': but without understanding why and when each one is used, you cannot accurately assess your attack surface or understand why certain attacks succeed in your environment.

This matters directly for the detections you build: pass-the-hash attacks use NTLM, Kerberoasting uses Kerberos, NTLM relay exploits NTLM. Knowing the difference tells you what is possible where.

How Kerberos Works

Kerberos authentication involves three parties: the client, the Key Distribution Center (the domain controller), and the service the client wants to access.

Step 1: Client authenticates to the KDC (AS-REQ / AS-REP). The client sends an AS-REQ (Authentication Service Request) to the domain controller's KDC. The request proves the client's identity by encrypting a timestamp with the user's password hash. The KDC decrypts the timestamp, verifies the user's identity, and returns an AS-REP containing a Ticket-Granting Ticket (TGT): a time-limited token that proves the client authenticated successfully.

The user's password hash never leaves the client machine. The KDC proves the client knows the hash by verifying the encrypted timestamp.

Step 2: Client requests a service ticket (TGS-REQ / TGS-REP). When the client wants to access a specific service (a file share, a web application, a SQL server), it presents its TGT to the KDC and requests a service ticket for that specific resource. The KDC issues a service ticket encrypted with the target service's account hash: only the service can decrypt it.

Step 3: Client presents the service ticket to the target. The client presents the service ticket to the target service. The service decrypts it, verifies the authentication, and grants access. The domain controller is not involved in this final step: after the tickets are issued, the KDC is out of the picture.

Security properties: Credentials never traverse the network. Service tickets are time-limited (default 10 hours). Tickets are service-specific: a ticket for the file server cannot be used for the SQL server.

Kerberos attack surface: Kerberoasting exploits the fact that service tickets are encrypted with the service account's hash. An attacker who requests a service ticket for an account with a SPN can attempt to crack the service account's password offline. AS-REP roasting exploits accounts configured with 'Do not require Kerberos preauthentication': these return an encrypted AS-REP without requiring the client to prove identity first, allowing the encrypted blob to be cracked offline.

How NTLM Works

NTLM is a challenge-response protocol: the server proves the client knows the correct password hash without the client sending the hash directly.

Step 1: Client sends a NEGOTIATE message. The client initiates authentication by sending an NTLM NEGOTIATE message to the target server.

Step 2: Server sends a CHALLENGE. The server generates a random 8-byte challenge and sends it to the client.

Step 3: Client sends a AUTHENTICATE response. The client computes a response by running the NTLM hash through an encryption function with the server's challenge. The result is sent as the AUTHENTICATE message. The client never sends the NTLM hash directly.

Step 4: Server verifies the response. The server passes the client's response to the domain controller (or verifies locally for local accounts). If the DC confirms the response is valid for that user's hash and that challenge, authentication succeeds.

Security properties: The password hash is not transmitted, but the challenge-response exchange can be attacked in two ways:

  • Pass-the-hash: If an attacker obtains the NTLM hash (from LSASS, SAM, or ntds.dit), they can generate valid AUTHENTICATE responses without knowing the plaintext password. Authentication succeeds because the server only verifies the hash, not the password.
  • NTLM relay: An attacker intercepts the NTLM challenge from a legitimate server and relays it to the client. The client computes a valid response to the relayed challenge. The attacker relays that response to the original server, completing authentication as the victim user: without ever obtaining the hash.

When Windows uses NTLM instead of Kerberos:

  • Authentication to a system by IP address instead of hostname (no SPN lookup possible for bare IPs)
  • Authentication to a non-domain-joined system
  • Authentication to a domain-joined system where the SPN is not correctly registered
  • Legacy applications configured to use NTLM explicitly
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Determining Which Protocol Is In Use

Knowing which protocol fires in a given scenario is important for attack surface assessment.

Check via Windows Security event log:

On the destination machine, Event ID 4624 (successful logon) includes the AuthenticationPackageName field:

  • Kerberos: Kerberos was used
  • NTLM: NTLM was used
  • Negotiate: the system negotiated between the two and typically settled on Kerberos

Force Kerberos vs NTLM to test:

:: This uses Kerberos (hostname lookup enables SPN resolution)
net use \\SERVER01\share

:: This forces NTLM (IP address, no SPN lookup)
net use \\192.168.1.10\share

Check which services are using NTLM in your environment:

# Query Windows NTLM operational log (shows inbound NTLM authentications)
Get-WinEvent -LogName "Microsoft-Windows-NTLM/Operational" | 
    Where-Object { $_.Id -eq 8004 } | 
    Select-Object -First 20 -Property TimeCreated, Message

Event ID 8004 in the NTLM operational log shows inbound NTLM authentications to the machine: useful for identifying applications and services that are still using NTLM and should be migrated to Kerberos.

Why NTLM Persists and How to Reduce It

Despite Kerberos being more secure, NTLM persists in every Windows environment because:

  1. IP-address-based connections: Many applications connect to backend services by IP. NTLM is the only option when there is no hostname for SPN lookup. Fix: use hostnames instead of IPs in application configuration.

  2. Missing or broken SPNs: If a service's SPN is not registered in AD, Kerberos cannot generate a service ticket for it: Windows falls back to NTLM. Fix: audit SPNs with setspn -L ACCOUNTNAME and register missing SPNs.

  3. Local account authentication: NTLM is always used for local (non-domain) account authentication. Fix: use domain accounts for services instead of local accounts.

  4. Legacy application configuration: Some applications have NTLM hardcoded. Fix: check vendor documentation for Kerberos support and upgrade where possible.

Reducing NTLM without breaking things:

Do not block NTLM globally without testing: this will break things immediately. The safe approach:

  1. Enable the NTLM operational log and review which applications are using NTLM (Event ID 8001 for outbound, 8004 for inbound)
  2. Fix the root cause for each application (IP-to-hostname, missing SPN, local account replacement)
  3. Use Group Policy to set 'Network security: Restrict NTLM' to 'Audit all' first, which logs but does not block
  4. After 30 days of audit with no unresolved applications, consider moving to 'Deny all' for specific server types where NTLM should never occur (domain controllers, for example)

The bottom line

Kerberos is ticket-based: credentials never cross the network, making it resistant to credential relay attacks. NTLM is challenge-response: the hash can be relayed or replayed in pass-the-hash attacks. NTLM fires when Kerberos cannot: IP-address connections, missing SPNs, local account authentication, and legacy application configuration. Reducing NTLM requires identifying its root causes per application before any protocol restriction: audit with Event ID 8004 in the NTLM operational log, fix root causes, and restrict gradually.

Frequently asked questions

What is the difference between Kerberos and NTLM authentication?

Kerberos uses time-limited tickets issued by the domain controller: credentials never traverse the network, and tickets are service-specific. NTLM uses a challenge-response mechanism where the client proves knowledge of a password hash: the hash is not sent directly, but it can be relayed or replayed in pass-the-hash attacks. Kerberos is the default for domain-joined systems; NTLM is the fallback for IP connections, missing SPNs, and local accounts.

When does Windows use NTLM instead of Kerberos?

Windows uses NTLM when Kerberos cannot complete authentication: connecting by IP address instead of hostname (no SPN lookup), connecting to a non-domain-joined system, authenticating with a local account, when the service's SPN is not registered in Active Directory, or when an application is explicitly configured to use NTLM.

Why is NTLM authentication considered insecure?

NTLM is vulnerable to three attack classes. Pass-the-hash: attackers capture NTLM hashes from memory with tools like Mimikatz and authenticate without knowing the plaintext password. NTLM relay: attackers intercept an authentication challenge and relay it to a target server, authenticating as the victim (e.g., PetitPotam, PrintNightmare relay). Offline brute force: captured Net-NTLMv2 hashes can be cracked offline since they contain enough information to test password guesses. Kerberos avoids all three: tickets are service-specific, not replayable, and credentials never traverse the network.

How do I block NTLM authentication in Active Directory?

Use Group Policy to restrict NTLM: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network Security: Restrict NTLM. Start with Audit mode (set to 'Audit all') and review Event ID 8004 in the NTLM operational log to identify services still using NTLM before enabling Block mode. Common NTLM dependencies include legacy applications, printers, and network-attached storage devices. For modern environments, disabling NTLM across the domain requires Kerberos SPNs to be correctly registered for all services.

What is a Kerberos SPN and why does it matter for security?

A Service Principal Name (SPN) is a unique identifier for a service instance that clients use to request a Kerberos service ticket. SPNs must be registered for services that require Kerberos authentication. Missing SPNs cause Windows to fall back to NTLM, increasing attack surface. Misconfigured or duplicate SPNs cause authentication failures or Kerberoasting vulnerability (service accounts with SPNs can have their ticket-encrypted passwords cracked offline). Audit SPNs with: Get-ADUser -Filter {ServicePrincipalName -ne '$null'} -Properties ServicePrincipalName.

What is NTLM relay and how does it exploit the NTLM authentication protocol's design weaknesses?

NTLM relay exploits the fact that NTLM authentication is a three-message challenge-response protocol that authenticates a server to a client but does not cryptographically bind the authentication to the specific session or service. An attacker positioned between a client and server can intercept the NTLM negotiation (Negotiate, Challenge, Authenticate messages) and relay them to a different target server in real time. The attacker never sees the plaintext password -- they act as a transparent intermediary, forwarding messages to both parties. The attacked server believes the authentication came from the legitimate client and grants access under that user's privileges. Common attack flows: Responder captures NTLM authentication triggered by broadcast protocols (LLMNR, NBT-NS) and relays them to SMB or LDAP on servers where the victim has admin rights. Ntlmrelayx automates this, often creating new domain admin accounts or extracting NTLM hashes from SAM via the relayed authentication. Primary defenses: disable LLMNR and NBT-NS to prevent hash capture triggers, enable SMB signing on all servers (makes relay to SMB fail), enable LDAP signing and channel binding (makes relay to LDAP fail), and enable Extended Protection for Authentication (EPA) on IIS/Exchange (prevents HTTP relay). NTLM relay is substantially mitigated by a combination of these controls; Kerberos-only environments eliminate it entirely.

Sources & references

  1. Microsoft: Kerberos Authentication Overview
  2. Microsoft: NTLM Overview
  3. MITRE ATT&CK T1550.002: Pass the Hash

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.