Trail: NTLM

Performance Testing : NTLM

KnowledgeBase :: Categories :: PageIndex :: RecentChanges :: RecentlyCommented :: Login/Register

Microsoft NTLM

Windows NT Challenge/Response (NTLM) is the authentication protocol used on networks that include systems running the Windows NT operating system and on stand-alone systems. NTLM stands for Windows NT LAN Manager, a name chosen to distinguish this more advanced challenge/response-based protocol from its weaker predecessor LAN Manager (LM).

Beginning with Windows 2000, the Microsoft Kerberos security package adds greater security to networked systems than NTLM. Although Microsoft Kerberos is the protocol of choice for Windows 2000 networks, NTLM is still supported and must be used for network authentication if the network includes systems running versions of Windows NT earlier than Windows 2000. NTLM must also be used for logon authentication on stand-alone systems.

NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user's password. NTLM uses an encrypted challenge/response protocol to authenticate a user without sending the user's password over the wire. Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials.

Interactive NTLM authentication over a network typically involves two systems: a client system, where the user is requesting authentication, and a domain controller, where information related to the user's password is kept. Noninteractive authentication ? which may be required to permit an already logged-on user to access a resource such as a server application ? typically involves three systems: a client, a server, and a domain controller that does the authentication calculations on behalf of the server.

The following steps present an outline of NTLM noninteractive authentication.
Note The first item provides the user's NTLM credentials and occurs as part of the interactive authentication (logon) process.

Your application should not access the NTLM security package directly; instead, it should use the Negotiate security package.
Negotiate allows your application to take advantage of more advanced security protocols if they are supported by the systems involved in the authentication. Currently, the Negotiate security package selects between Kerberos and NTLM. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication.

See also this NTLM article by Eric Glass.

There are no comments on this page. [Add comment]

Page History :: 2006-01-26 18:37:50 XML :: Owner: Roland Stens :: Search:
Valid XHTML 1.0 Transitional :: Valid CSS :: Powered by Wikka Wakka Wiki
Page was generated in 0.0178 seconds