Saturday, June 19, 2010

Advantages of Kerberos over NTLM

As you may know, prior to Windows 2000, NTLM was the primary authentication protocol in Windows Server, and Windows 2000 onwards and beyond, Microsoft made Kerberos the native authentication protocol.

The Kerberos protocol is obviously not only an industry standard but as such offers numerous advantages over NTLM, some of which include -
  • Mutual Authentication - This means that not only can clients authenticate to a server, but that the client can request that the server too authenticate itself to the client, and this undoubtedly helps enhance security by ensuring that clients authenticate themselves to genuine servers.

  • Faster Authentication -The use of the TGTs substantially enhances the speed with which authentication can take place in distributed systems, and this certainly facilitates more efficient and secure network accesses across the enterprise.

  • Support for Delegation - Kerberos enabled security delegation, which essentially allows a server to impersonate a client when accessing remote resources, and this really helps provide trustworthy security in multi-tier application scenarios.

  • Support for PKI Integration - Through the Kerberos PKINIT extension, Kerberos provides support for smartcard logons, and this substantially enhances security because it obviates the need for passwords, allowing the use of smart-cards in lieu.

All in all, Kerberos really makes Windows Server powerful enough to provide enterprise grade distributed security, and in fact today its use is so ubiquitous and prevalent across the world.


  1. Hello Aaron,

    Greetings from Dubai. I am an Windows IT admin and have been working with Active Directory for quite some time now. One of the things that interests me is Active Directory Security and I have been recently looking at Active Directory Risks. I've found that using a Permissions Analyzer for Active Directory can be very helpful in finding out who has what permissions in Active Directory. I thought I would share this with you in case it help you too.

    Best wishes,

  2. Hi Aaron,

    As Domain Admins / Enterprise Admins we often delegate administrative tasks in Active Directory and from time to time need to know who is delegated what access in Active Directory.

    In my experience, I have found that it how to find out who is delegated what access in Active Directory is not as easy as it seems, but in fact can be quite difficult.

    I've seen many admins try to use a Permissions Analyzer for Active Directory but finding out who has what permissions in Active Directory is not the same thing.

    I recently came across an Active Directory Audit Tool that makes is super easy to find out who is delegated what access in Active Directory. Thought you may like to know.