Microsoft announced its intention to gradually abandon NTLM authentication in Windows 11 in favor of a more secure method called Kerberos.
Kerberos is a system that ensures secure authentication between a client computer and a server. Let’s consider a scenario where a client computer wants to access a specific service, such as email, on another computer. In order to verify the user’s access rights, Kerberos utilizes a Key Distribution Center (KDC), which stores secret keys for all users and services. The KDC is responsible for issuing “tickets” to grant access.
When a user attempts to enter the system, their computer sends a request to the KDC, requesting a ticket. The KDC then verifies the user’s account information and, if everything is correct, issues a ticket. This ticket is used to confirm the user’s identity when interacting with the desired service.
One of the key advantages of Kerberos is its ability to provide mutual authentication. This means that not only does the user confirm their identity, but the service can also verify the user’s security. This helps prevent attacks in which an attacker attempts to impersonate a service.