What authentication methods are available for Active Directory (AD)?
June 20, 2005
A. Windows 2000 and AD introduced Kerberos as the principal authentication mechanism for all Win2K and later machines. However, earlier authentication protocols are maintained for backward compatibility. Here's a summary of the available authentication protocols.
LAN Manager. Microsoft and IBM created this protocol for OS/2. It's the least secure of all the authentication protocols and is used primarily by Windows Me and Windows 9x. LAN Manager uses a two-part, 32-character password hash. The first seven characters of the password make up the first part of the hash; the last seven characters make up the second part of the hash (thus, the 14-character maximum password size). Consequently, if you have a seven-character password, the second 16 characters of the password hash would be the same as the first 16 characters, thus revealing to an attacker that the password is only seven characters.
NT LAN Manager (NTLM). This is a more secure challenge-response authentication protocol than LAN Manager. It uses 56-bit encryption for protocol security and stores passwords as an NT hash. Windows NT 4.0 Service Pack 3 (SP3) and earlier clients use this protocol.
NTLMv2. This version of NTLM uses 128-bit encryption and is used for machines running NT 4.0 SP4 and later. This is the most secure challenge-response authentication available.
Kerberos. Kerberos is essentially a ticket-based authentication protocol. See the FAQ "What is Kerberos?" at http://www.windowsitpro.com/article/articleid/15294/15294.html for a more detailed explanation. You can also find out more by reading "Win.NET Server Kerberos," October 2002, InstantDoc ID 26450. Kerberos is the most secure authentication method, and you should use it whenever possible.
About the Author
You May Also Like