Kerberos and Windows 2000

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

Windows NT uses a proprietary authentication scheme, NT LAN Manager ( NTLM ) Challenge-Response. With the introduction of Windows 2000, Microsoft changed the default authenication to their version of Kerberos, a public domain authentication scheme developed at MIT (Massachusetts Institute of Technology) as part of Project Athena.

Windows 2000 uses Version 5 of Kerberos as defined by RFC 1510. To be standard, Kerberos implementations use the API library described in RFC 1964, the Kerberos Version 5 Generic Security Service Application Programming Interface ( GSS-API ) Mechanism. Microsoft chose to not use the GSS-API directly, but instead, Windows 2000 uses a similar set of functions they developed.

Windows 2000 supports Kerberos and NTLM for authenication. Legacy, legacy, legacy support - the key to Microsoft's security problems. Because the authentication mechanism is designed to be as transparent as possible, it isn't obvious whether Kerberos or NTLM is used. In general, Windows 2000 uses Kerberos in the following circumstances:

  • Authenticating users logging on to Windows 2000 domain controllers
  • Authenticating users logging on to Windows 2000 servers and workstations that are members of a Windows 2000 domain
  • Authenticating users logging on to standalone Windows 2000 servers and workstations
  • Authenticating users accessing a Windows 2000 server or workstation from a Win9x client or NT client configured with the Active Directory add-on

NTLM authentication is used in the following instances:

  • Authenticating users logging on to Windows 2000 servers and workstations that are members of an NT domain (or accessing an NT domain from a Windows 2000 domain via a trust relationship
  • Authenticating users accessing a Windows 2000 server or workstation from an NT server or workstation
  • Authenticating users accessing a Windows 2000 server from a standard Windows 9x, Win 3.1x client, or OS/2 client

Authentication protocols defend the front door to your network

Featured Links