Home > Others

NTLM verification process

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Document directory
  • References:
  • Body
References:

Microsoft NTLM

Kerberos connection process

Body

NTLM has two types: Interactive and noninteractive. Interactive is the user login type. Only the client and DC are involved, while noninteractive is the Client Connecting to a server. The noninteractive verification process of NTLM is provided in Microsoft NTLM, which involves the following seven steps:

  1. (Interactive Authentication only) a user accesses a client computer and provides a domain name, user name, and password. The client computes a cryptographicHashOf the password and discards the actual password.
  2. The client sends the user name to the server (inPlaintext).
  3. The server generates a 16-byte random number, calledChallengeOrNonce, And sends it to the client.
  4. The client encrypts this challenge with the hash of the user's password and returns the result to the server. This is calledResponse.

  5. The server sends the following three items to the domain controller:

    • User Name
    • Challenge sent to the client
    • Response received ed from the client
  6. The domain controller uses the user name to retrieve the hash of the user's password from the Security Account Manager database. It uses this password hash to encrypt the challenge.
  7. The domain controller compares the encrypted challenge it computed (in Step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful.

However, some of them are not detailed enough. I will add them in this article. NTLM is a Windows verification process, as shown in:

Next we will detail the NTLM verification process, which is still a seven-step process:

  1. The user name, password, and domain name entered during logon. Then, the client calculates the password hash value and saves it locally.
  2. The client sends User Name text to DC
  3. DC generates a random number of 16-byte called challenge and transmits it to the client.
  4. After the client receives the challenge, it copies a copy and then encrypts one of the challenge with password hash. This is called response, and then transmits challenge, response, and user name to the server.
  5. The server forwards three pieces of content sent by the client to the DC.
  6. After receiving the user name, response, and challenge, DC finds the corresponding password hash in the account database based on the user name, and then encrypts challenge with this password hash.
  7. The last step is to compare the response with the encrypted challenge. If the two are the same, the NTLM is verified successfully.

At the end of Microsoft NTLM, we also mentioned that we should not directly use NTLM, but use negotiate. If negotiate is used, Windows checks whether Kerberos is available. If it is available, Kerberos is used first; otherwise, NTLM is used. Kerberos is more secure than NTLM.

The NTLM and negotiate options are available in Sharepoint. NTLM is selected by default. If you know how to configure Kerberos, The Negotiate mode is recommended.

 

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
explain invoice verification process ntlm ntlm php verification ntlm hash ntlm auth ntlm authentication

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More