NTLM verification process

Source: Internet
Author: User
Document directory
  • References:
  • Body
References:

Microsoft NTLM

Kerberos connection process

Body

NTLM has two types: Interactive and noninteractive. Interactive is the user login type. Only the client and DC are involved, while noninteractive is the Client Connecting to a server. The noninteractive verification process of NTLM is provided in Microsoft NTLM, which involves the following seven steps:

  1. (Interactive Authentication only) a user accesses a client computer and provides a domain name, user name, and password. The client computes a cryptographicHashOf the password and discards the actual password.
  2. The client sends the user name to the server (inPlaintext).
  3. The server generates a 16-byte random number, calledChallengeOrNonce, And sends it to the client.
  4. The client encrypts this challenge with the hash of the user's password and returns the result to the server. This is calledResponse.
  5. The server sends the following three items to the domain controller:

    • User Name
    • Challenge sent to the client
    • Response received ed from the client
  6. The domain controller uses the user name to retrieve the hash of the user's password from the Security Account Manager database. It uses this password hash to encrypt the challenge.
  7. The domain controller compares the encrypted challenge it computed (in Step 6) to the response computed by the client (in step 4). If they are identical, authentication is successful.

However, some of them are not detailed enough. I will add them in this article. NTLM is a Windows verification process, as shown in:

Next we will detail the NTLM verification process, which is still a seven-step process:

  1. The user name, password, and domain name entered during logon. Then, the client calculates the password hash value and saves it locally.
  2. The client sends User Name text to DC
  3. DC generates a random number of 16-byte called challenge and transmits it to the client.
  4. After the client receives the challenge, it copies a copy and then encrypts one of the challenge with password hash. This is called response, and then transmits challenge, response, and user name to the server.
  5. The server forwards three pieces of content sent by the client to the DC.
  6. After receiving the user name, response, and challenge, DC finds the corresponding password hash in the account database based on the user name, and then encrypts challenge with this password hash.
  7. The last step is to compare the response with the encrypted challenge. If the two are the same, the NTLM is verified successfully.

At the end of Microsoft NTLM, we also mentioned that we should not directly use NTLM, but use negotiate. If negotiate is used, Windows checks whether Kerberos is available. If it is available, Kerberos is used first; otherwise, NTLM is used. Kerberos is more secure than NTLM.

The NTLM and negotiate options are available in Sharepoint. NTLM is selected by default. If you know how to configure Kerberos, The Negotiate mode is recommended.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.