Windows NT LAN Manager (NTLM)


The NTLM protocol was the default for network authentication in the Windows NT 4.0 operating system. It is retained in Windows 2000 for compatibility with downlevel clients and servers. NTLM is also used to authenticate logons to standalone computers with Windows 2000.

Windows 2000-based servers and Windows Server 2003-based servers can authenticate users who connect from computers that are running all earlier versions of Windows. However, versions of Windows earlier than Windows 2000 do not use Kerberos for authentication.

For backward compatibility, Windows 2000 and Windows Server 2003 support:

  • LAN Manager (LM) authentication,
  • Windows NT (NTLM) authentication,
  • and NTLM version 2 (NTLMv2) authentication.

The NTLM, NTLMv2, and Kerberos all use the NT hash, also known as the Unicode hash. The LM authentication protocol uses the LM hash.

When NTLM would be used

While Kerberos has replaced NTLM as the default authentication protocol in an Active Directory based single sign-on scheme, NTLM is still widely used in situations where a domain controller is not available or is unreachable.

For example, NTLM would be used if:

  • a client is not Kerberos capable,
  • the server is not joined to a domain,
  • or the user is remotely authenticating over the web.

Documentation / Reference

Powered by ComboStrap