NTLM was originally a proprietary protocol from Microsoft and was therefore implemented almost exclusively in products from this manufacturer. Thanks to reverse engineering , however, Samba , Squid , Mozilla Firefox , cURL , Opera and the Apache HTTP server also support this protocol. In early 2007, Microsoft published its specification under pressure from the United States and the European Union .
The predecessor of the NTLM protocol is LM (LAN Manager), which was already used in the OS / 2 operating system . NTLM fixed the problem that long passwords could be more vulnerable than short passwords. Due to additional security problems, NTLMv2 was developed and the earlier version was henceforth called NTLMv1. Security problems are also known in NTLMv2: Responses can be intercepted in order to carry out replay attacks on the server and reflection attacks on the client.
Authentication via NTLM begins with the client sending the user name to the server . The server then sends a random number to the client as a challenge . The client sends back the random number encrypted with the hash value of the user password as a response . The server also encrypts the random number with the hash value of the user password that it has in its database or from the domain controller, compares the two results and confirms the authentication if they match. The user password is therefore not sent via the insecure medium.
An alternative to NTLM is the Kerberos protocol , which has also been used as standard under Windows since the introduction of Active Directory with Windows 2000 . If authentication using Kerberos is not possible, NTLM is used automatically. Windows selects the port for NTLM dynamically in the basic setting.
Secure Password Authentication , or SPA for short, is what Microsoft calls authentication via NTLM for Microsoft Exchange Server .
The LmCompatibilityLevel can be used to configure which authentication mechanisms the client should use. A distinction is made here between LM, NTLM and NTLMv2 authentications.
- 0 = clients use LM and NTLM authentication
- 1 = clients use LM and NTLM authentication as well as NTLMv2 authentication
- 2 = clients only use NTLM and NTLMv2 authentication.
- 3 = clients only use NTLMv2 authentication. Domain controllers accept LM, NTLM, and NTLMv2 authentication.
- 4 = clients only use NTLMv2 authentication. Domain controllers reject LM authentication and only accept NTLM and NTLMv2 authentication.
- 5 = Clients only use NTLMv2 authentication. Domain controllers reject LM and NTLM authentication and only accept NTLMv2 authentication.
- NT LAN Manager (NTLM) Authentication Protocol Specification . Microsoft. Retrieved August 17, 2010.
- How to disable LM authentication on Windows NT . Microsoft. Retrieved August 27, 2015.
- Authentication on Windows: A Smoldering Security Problem . Publisher Heinz Heise . August 16, 2010. Retrieved August 17, 2010.
- Microsoft NTLM . Microsoft. Retrieved August 17, 2010.
- Kerberos and Windows 2000 . TechGenix. Retrieved August 17, 2010.
- Kerberos in the LOCAL SYSTEM context and NTLM fallback . Microsoft. April 12, 2010. Retrieved August 17, 2010.
- How Interactive Logon Works . Microsoft. Retrieved August 17, 2010.