Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Live Chat

Get Quote

ADAudit Plus » Get Quote
 
  

What is Kerberos?

Kerberos is a network authentication protocol which uses symmetric key cryptography to provide authentication services to client-server applications. It is a ticket based protocol, and requires a trusted third party known as the key distribution center (KDC) to operate. Initially developed by Massachusetts Institute of Technology (MIT) for Project Athena, Kerberos is now used as the default authentication protocol in Windows 2000, and all the later versions.

What is NTLM?

New Technology LAN Manager (NTLM) is a suite of Microsoft authentication protocols designed to provide authentication, integrity, and confidentiality for user logons to local machines and other workgroup computers. It is an encrypted challenge - response protocol used to authenticate users without relaying their password. NTLM was the preferred authentication protocol in Windows versions earlier to Windows 2000; it was then replaced by Kerberos. Microsoft still supports NTLM to provide backward compatibility.

Difference between Kerberos and NTLM

The following are some of the differences between the two authentication protocols.

How Kerberos works?

Kerberos is a ticket based authentication protocol. The principal entities involved in Kerberos protocol are:

  • Client - The client acts on behalf of the user and initiates the request.
  • Server - The server hosts the services that the user wants to access.
  • Authentication Server (AS) - This server performs client authentication and issues the client a Ticket Granting Ticket (TGT) if authentication is successful.
  • Ticket Granting Server (TGS) - This is an application server that issues service tickets.
  • Database (db) - The authentication server verifies access rights of users in the database.
  • Key Distribution Center (KDC) - The KDC provides authentication and ticket granting services. The AS, TGS and db are a part of KDC.

Step-by-step explanation of Kerberos protocol:

  • When a user attempts to join the network through the client’s interactive logon screen the client constructs a package called an authenticator which has information about the client (username, date, and time). Except for the username, all the other information contained in the authenticator is encrypted with the user’s password.
  • The client then sends the encrypted authenticator to the KDC.
  • The KDC immediately knows the identity of the client that has sent the authenticator by looking at the username. The KDC will then look into its AD database for the user’s password, which is a shared secret. It then decrypts the authenticator with the password. If the KDC is able to decrypt the authenticator using the user's password from the db, it means that the identity of the client is verified.
  • Once the identity of the client is verified, the KDC creates a ticket granting ticket (TGT), which is encrypted using a key that only the KDC knows.
  • The KDC then sends the TGT to the client. The client stores the TGT in its Kerberos tray. It can use this ticket whenever it needs to access a resource on a server on the network (within a typical time limit of eight hours).
  • When the client needs to access another server, it sends the TGT to the KDC along with a request to access the resource.
  • The KDC decrypts the TGT with its key. This step verifies if the client has previously authenticated itself to the KDC.
  • The TGS generates a session ticket for the client to access the shared resource or service. This ticket is encrypted by the server’s key. The KDC then sends this ticket to the client.
  • The client saves this ticket in its Kerberos tray, and sends a copy of it to the server which it wants to access.
  • The server uses its own password to decrypt the ticket, if the server successfully decrypts the ticket, it knows that the ticket is legitimate.
  • The server will then determine whether the client has the necessary permission to access the resource by looking through the access control list (ACL).

How NTLM works?

NTLM is a challenge - response authentication protocol. The principal entities involved in NTLM protocol are:
  • Client - The client acts on behalf of the user and initiates the request.
  • Server - The server hosts the services that the user wants to access.
  • Domain controller - The domain controller performs the authentication process on behalf of the server.

Step-by-step explanation of NTLM protocol:

  • User provides the username, password, and domain name at the interactive logon screen of a client.
  • The client develops a hash of the user’s password and discards the actual password.
  • The client sends the username in plain text to the server it wants to access.
  • The server sends a challenge to the client. This challenge is a 16-byte random number. In NTLMv2, variable length challenge is employed.
  • The client then sends a response to the server. This response is the challenge encrypted by the hash of the user’s password.
  • The server sends the challenge, response, and username to the domain controller (DC).
  • The DC retrieves the hash of the user’s password from its database, and then encrypts the challenge using it.
  • The DC compares the encrypted challenge it has computed (in the above step) to the response of the client. If these two match, the user is authenticated.

Security

From a security standpoint, Kerberos is considered more secure compared to NTLM. NTLM requires a point-to-point connection between the web browser and server in order to function properly while Kerberos's usage of tickets to prove users' identity without transmitting the password over the network makes it more secure. It also doesn't cache passwords on the local user's hard disk. Additionally, Kerberos supports smart card logon security feature which relies on two-factor authentication and provides stronger authentication compared to password logon.

Delegation support

Kerberos supports both impersonation and delegation while delegation support is not provided by NTLM. Impersonation is the ability of a server application to take on the identity of the client. When the server accepts a client connection, it impersonates the client so that access checks are performed using the client's credentials. Delegation is also known as authentication forwarding. Delegation enables a service to access remote resources on behalf of a client. For example, user A can give rights to an intermediary machine B to authenticate an application server C as if machine B was user A. This means that application server C will base its authorization decisions on user A's identity rather than on machine B's account.

Authentication

One of the key features of Kerberos protocol is that it allows mutual authentication, ie: authenticity of both client and server are verified. The NTLM challenge-response mechanism only provides client authentication, which means the clients might provide their credentials to a bogus server.

Simplify Kerberos and NTLM auditing and reporting with ADAudit Plus.
Get Your Free Trial

Fully functional 30-day trial

ADAudit Plus is a comprehensive Active Directory auditing solution that will help you monitor, and audit local logon and logoffs by domain users. It can also track other critical events that can lead to network disruptions.

ADAudit Plus simplifies Kerberos and NTLM authentication activity tracking with predefined Logon Activity report along with intuitive graphical representation of the same for the ease of comprehension. It also provides you the option to generate custom reports and export them in your preferred format (PDF, XLS, HTML, and CSV)

Steps to track Kerberos and NTLM authentication with ADAudit Plus

Once ADAudit Plus has been installed, it can automatically configure audit policies required for Active Directory auditing. To enable automatic configuration: Log in to the ADAudit Plus web console → Domain Settings → Audit Policy: Configure.

Authentication events can be monitored by following the steps below:
  • Login to ADAudit Plus.
  • Select the required Domain from the dropdown list.
  • Go to the Reports tab.
  • Navigate to Local Logon-Logoff.
  • Select the Logon Activity report, look for the Authentication Package column.

You can use this report to ascertain if secure authentication protocols like Kerberos or NTLMv2 are being used. In case there are users in the organization who use outdated authentication protocols such as NTLMv1 or LAN Manager, that information will be displayed. You can then take the necessary steps to correct this.

ADAudit Plus comes bundled with more than 200 predefined reports that make AD auditing easier. The solution also sends real-time alerts for critical events and helps you to secure your network from threats, and boosts your IT security posture. Check out the capabilities of ADAudit Plus here.

More related links

     

Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.

Try ADAudit Plus for free
 

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote