Security Encyclopedia

NT Lan Manager (NTLM)

Windows New Technology LAN Manager (NTLM) is an outmoded challenge-response authentication protocol from Microsoft. Still in use though succeeded by Kerberos, NTLM is a form of Single Sign-On (SSO) enabling users to authenticate to applications without submitting the underlying password.

NTLM gives users SSO access on an Active Directory (AD) domain through the exchange of three messages comprising the cryptographic handshake: the client's negotiate message, the server's challenge message, and the client's authenticate message.

NT LAN Manager was the default protocol for Windows until Microsoft deprecated it, citing vulnerabilities related to the password hash's password equivalency. Passwords stored on the server, or domain controller, are not salted and therefore an adversary with a password hash does not require the underlying password to authenticate. NTLM's cryptography also predates newer algorithms such as AES or SHA-256 and is susceptible to brute force attacks by today's hardware.


"One of our data centers suffered an Active Directory outage that stemmed from an issue with NTLM authentication. To solve the problem, the IT folks eventually ended up building a new domain controller."

Passwordless Windows Login Demo: