Open In App

Difference between Kerberos and NTLM

Improve
Improve
Like Article
Like
Save
Share
Report

1. Kerberos : 

Kerberos is a ticket based authentication system which is used for the authentication of users information while logging into the system. Kerberos is based on symmetric key cryptography and depends on a reliable third party and works on the private key encryption during phases of authentication. Different versions of Kerberos are developed for enhancing security in the authentication. Kerberos is generally implemented in Microsoft products like Windows 2000, Windows XP and later windows versions. 

Advantages of Kerberos:

  • Stronger Security: Kerberos uses symmetric-key cryptography, which is considered stronger than NTLM’s hashing-based authentication.
  • Single Sign-On (SSO): Kerberos enables SSO, which means that users only need to enter their credentials once to access multiple resources.
  • Cross-Platform Support: Kerberos is an open standard and can be used on various platforms, including Unix and Linux.

Disadvantages of Kerberos:

  • Complexity: Kerberos requires more configuration and setup compared to NTLM, which can make it more difficult to deploy and maintain.
  • Requires Time Synchronization: Kerberos relies on accurate time synchronization between servers, which can be a challenge in large, distributed environments.
  • Compatibility Issues: Some older applications and systems may not be compatible with Kerberos, which can limit its use in some environments.

2. NTLM : 

NTLM (New technology LAN Manager) is a proprietary Microsoft authentication protocol. NTLM is also based on symmetric key cryptography technology and needs resource servers to provide authentication, integrity, and confidentiality to users. NTLM does not support delegation of authentication and two factor authentication. NTLM is usually implemented in earlier windows versions such as Windows 95, Windows 98, Windows ME, NT 4.0. 

Advantages of NTLM:

  • Simplicity: NTLM is easier to configure and set up compared to Kerberos.
  • Widely Supported: NTLM is supported by many applications and systems, including older versions of Windows.
  • Non-Dependent on Time Synchronization: NTLM doesn’t require time synchronization between servers, which can make it easier to implement in some environments.

Disadvantages of NTLM:

  • Weaker Security: NTLM uses hashing-based authentication, which is considered weaker than Kerberos’ symmetric-key cryptography.
  • Limited SSO Support: NTLM does not support SSO, which means that users may need to enter their credentials multiple times to access different resources.
  • Vulnerable to Certain Attacks: NTLM is vulnerable to certain attacks, such as pass-the-hash and pass-the-ticket attacks, which can compromise security.

Similarities :

  • Both protocols provide authentication for users trying to access network resources.
  • Both protocols rely on the use of hashes to store and compare credentials.
  • Both protocols support mutual authentication, where the client and server authenticate each other.
  • Both protocols support session keys, which are used to secure data transmission after authentication.
  • Both protocols have been included in Windows operating systems and are widely used in Windows environments.

Difference between Kerberos and NTLM :

S.No. Kerberos NTLM
1. Kerberos is an open source software and offers free services. NTLM is the proprietary Microsoft authentication protocol.
2. Kerberos supports delegation of authentication in multi-tier application. NTLM does not support delegation of authentication.
3. Kerberos supports two factor authentication such as smart card logon. NTLM does not provide smart card logon.
4. Kerberos has the feature of mutual authentication. NTLM does not have the feature of mutual authentication.
5. Kerberos provides high security. While NTLM is less secured as compared to Kerberos.
6. Kerberos is supported in Microsoft Windows 2000, Windows XP and later windows versions. NTLM is also supported in earlier windows versions such as Windows 95, Windows 98, Windows ME, NT 4.0.
7. Kerberos is compatible with a wide range of platforms and applications NTLM is primarily designed for use with Microsoft Windows systems and applications
 
8. Kerberos can be faster than NTLM due to its use of lightweight tickets and efficient caching  NTLM can be slower than Kerberos due to its use of more complex authentication mechanisms
 

Kerberos is an authentication protocol that uses tickets to authenticate users to network resources. It provides high security by using both symmetric and asymmetric encryption. Kerberos supports single sign-on, which allows users to access multiple resources without the need to re-enter their credentials. It is a cross-platform protocol that can be used on various operating systems.

NTLM is a challenge-response authentication protocol that is used mainly on Windows systems. It provides medium security by using only symmetric encryption. NTLM does not support single sign-on, which means that users need to enter their credentials each time they access a resource. NTLM is vulnerable to various attacks, including replay attacks and brute-force attacks.

Kerberos is faster than NTLM, as it uses fewer network resources and requires fewer authentication requests. However, NTLM is easier to implement and does not require a centralized key distribution center.

When it comes to vulnerability to attacks, Kerberos is considered more secure than NTLM. Kerberos uses hashed passwords, which makes it more difficult for attackers to obtain user credentials. In contrast, NTLM passwords can be stored in plain text, making them more vulnerable to attacks.

Conclusion:

Both Kerberos and NTLM are important authentication protocols used in Windows environments. However, Kerberos is more secure, scalable, and compatible with modern systems, while NTLM is more straightforward to configure and manage and works well with older systems. The choice between the two protocols ultimately depends on the specific needs of the organization and the resources they have available.


Last Updated : 16 May, 2023
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads