Jay Paloma's Tech and Music Blog

Sometimes, this writer can no longer distinguish between the two.

NTLM: When do you still encounter it

leave a comment »

NTLM, or NT LAN Manager, is Microsoft’s authentication protocol during the Windows NT days. With the advent of Active Directory, NTLM is being phased out, therefore 3rd party application developer follow suit. This led me to an encounter a while back where the unexpected presence of NTLM in the authentication mechanism of an organization caused some challenges in a project I am working in. This led me to research in spite of the implementation of Active Directory and using Kerberos as the authentication protocol, when does Windows fall back to NTLM? Because it does!

  1. Windows NT clients and below. These legacy clients use NTLM. Kerberos is supported only on Windows 2000 and above. No ifs and buts about it.
  2. When DNS resolution fails during authentication. If during the authentication process, DNS fails or cannot find a Domain Controller, the client falls back to NTLM and sort of looks for a “Windows NT Domain Controller.” As such, the authentication method will be NTLM.
  3. Windows 2000 Mixed Mode. This domain functionality mode assumes the presence of Windows NT in the network, therefore the probability that authentication will kick back to NTLM is higher especially if the network is in mixed mode due to the actual presence of Windows NT Backup Domain Controllers in the domain. Read this to know more about domain functional levels in Active Directory.
  4. Inter-Forest External Trust Relationships. An External Trust Relationship is a one- or two-way nontransitive trust between two forests, very similar to the Windows 2000 Trust Relationships. This type of trust relationship assumes that one or both sides of the trust still supports NTLM, therefore authentication between two forests with this type of trust relationship uses NTLM. This is the reason why the transitive trust relationship is not possible in an External Trust Relationship because the transitive concept, or even the forest is unheard of in Windows NT. If you intend to use a trust relationship between forests without NTLM, use the Forest Trust.

If you are in the position where your customer demands why is NTLM still supported in the older version of your product but misbehaves in the newer version due to NTLM, just tell them what I call my “cassette tape” analogy: in the same way that cassette players are no longer a staple in today’s home entertainment systems, so should customers accept the fact that newer products may no longer support older technologies, or misbehave when they encounter these older technologies like NTLM.


Written by jpaloma

December 20, 2012 at 9:22 PM

Posted in Active Directory

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: