Principles of Windows Security Authentication [NTLM]

Source: Internet
Author: User

There are two methods for Windows Security Authentication: Kerberos and NTLM. Kerberos is the preferred authentication method, which is used in the domain environment and complex. Here, we will introduce another simple authentication protocol for Windows-NTLM (NT
LAN manager ). NTLM is used in Windows NT and Windows 2000 Server (or
In the Working Group Environment (Kerberos is used in the domain mode ). In an ad domain environment, if you need to authenticate the Windows NT System, you must also use NTLM. Compared with Kerberos, the NTLM-based authentication process is much simpler. NTLM adopts a challenge/response message exchange mode, reflecting the entire NTLM authentication process in Windows2000.

Step 1

You can log on to the client host by entering the Windows account and password. Before logon, the client caches the hash value of the entered password, and the original password is discarded ("the original password cannot be cached under any circumstances", which is a basic security rule ). If a user successfully logs on to the Windows client tries to access server resources, he/she must send a request to the other party. The request contains a user name in plaintext.

Step 2

After receiving the request, the server generates a 16-bit random number. This random number is called challenge or nonce. Before the server sends the challenge to the client, the challenge is saved first. Challenge is sent in plaintext.

Step 3

After receiving the challenge sent back from the server, the client encrypts the challenge with the password hash value saved in step 1, and then sends the encrypted challenge to the server.

Step 4

After the server receives the encrypted challenge sent back from the client, it will send a verification request to the DC (domain) for the client. The request mainly includes the client user name, challenge encrypted by client password hash, and original challenge.


Step 5 and 6

DC obtains the password hash value of the account based on the user name and encrypts the original challenge. If the encrypted challenge is the same as the challenge sent by the server, it means that the user has the correct password and the verification is successful. Otherwise, the verification fails. DC sends the verification result to the server and finally sends the feedback to the client.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.