NTLM / Kerberos Authentication Mechanism

Overview

    Windows Challenge/Response(NTLM) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.

    The Kerberos protocol defines how clients interact with a network authentication service. Clients obtain tickets from the Kerberos Key Distribution Center (KDC), and they present these tickets to servers when connections are established. Kerberos tickets represent the client's network credentials.

    Windows authentication uses either Kerberos authentication or NTLM authentication, depending upon the client and server configurations.

NTLM Authentication:

  • The NEGOTIATE_MESSAGE defines an NTLM Negotiate message that is sent from the client to the server. This message allows the client to specify its supported NTLM options to the server.
  • The CHALLENGE_MESSAGE defines an NTLM challenge message that is sent from the server to the client and it is used by the server to challenge the client to prove its identity.
  • The AUTHENTICATE_MESSAGE defines an NTLM authenticate message that is sent from the client to the server after the CHALLENGE_MESSAGE is processed by the client.

KERBEROS PROTOCOL:

  • Message A: Client/TGS Session Key encrypted using the secret key of the client/user.
  • Message B: Ticket-Granting-Ticket encrypted using the secret key of the TGS.
  • Message C: Composed of the TGT from message B and the ID of the requested service.
  • Message D: Authenticator encrypted using the Client/TGS Session Key.
  • Message E: client-to-server ticket encrypted using the service's secret key.
  • Message F: Client/Server Session Key encrypted with the Client/TGS Session Key.
  • Message G: a new Authenticator, which includes the client ID, timestamp and is encrypted using Client/Server Session Key.
  • Message H: the timestamp found in the client's Authenticator encrypted using the Client/Server Session Key.