Table of contents
Collapse the table of content
Expand the table of content

NTLM Overview

Corey Plett|Last Updated: 11/16/2016

Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

This topic for the IT professional describes NTLM, any changes in functionality, and provides links to technical resources to Windows Authentication and NTLM for Windows Server 2012 and previous versions.

Feature description

NTLM authentication is a family of authentication protocols that are encompassed in the Windows Msv1_0.dll. The NTLM authentication protocols include LAN Manager version 1 and 2, and NTLM version 1 and 2. The NTLM authentication protocols authenticate users and computers based on a challenge\/response mechanism that proves to a server or domain controller that a user knows the password associated with an account. When the NTLM protocol is used, a resource server must take one of the following actions to verify the identity of a computer or user whenever a new access token is needed:

  • Contact a domain authentication service on the domain controller for the computer's or user's account domain, if the account is a domain account.

  • Look up the computer's or user's account in the local account database, if the account is a local account.

Current applications

NTLM authentication is still supported and must be used for Windows authentication with systems configured as a member of a workgroup. NTLM authentication is also used for local logon authentication on non-domain controllers. Kerberos version 5 authentication is the preferred authentication method for Active Directory environments, but a non-Microsoft or Microsoft application might still use NTLM.

Reducing the usage of the NTLM protocol in an IT environment requires both the knowledge of deployed application requirements on NTLM and the strategies and steps necessary to configure computing environments to use other protocols. New tools and settings have been added to help you discover how NTLM is used in order to selectively restrict NTLM traffic. For information about how to analyze and restrict NTLM usage in your environments, see Introducing the Restriction of NTLM Authentication to access the Auditing and restricting NTLM usage guide.

New and changed functionality

There are no changes in functionality for NTLM for Windows Server 2012 .

Removed or deprecated functionality

There is no removed or deprecated functionality for NTLM for Windows Server 2012 .

Server Manager information

NTLM cannot be configured from Server Manager. You can use Security Policy settings or Group Policies to manage NTLM authentication usage between computer systems. In a domain, Kerberos is the default authentication protocol.

See also

The following table lists relevant resources for NTLM and other Windows authentication technologies.

Content typeReferences
Product evaluationIntroducing the Restriction of NTLM Authentication

Changes in NTLM Authentication
PlanningIT Infrastructure Threat Modeling Guide

Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP

Threats and Countermeasures Guide: Security Settings in Windows Server 2008 and Windows Vista

Threats and Countermeasures Guide: Security Settings in Windows Server 2008 R2 and Windows 7
DeploymentExtended Protection for Authentication

Auditing and restricting NTLM usage guide

Ask the Directory Services Team : NTLM Blocking and You: Application Analysis and Auditing Methodologies in Windows 7

Windows Authentication Blog

Configuring MaxConcurrentAPI for NTLM pass-through authentication
DevelopmentMicrosoft NTLM (Windows)

[MS-NLMP]: NT LAN Manager (NTLM) Authentication Protocol Specification

[MS-NNTP]: NT LAN Manager (NTLM) Authentication: Network News Transfer Protocol (NNTP) Extension

[MS-NTHT]: NTLM Over HTTP Protocol Specification
TroubleshootingNot yet available
Community resourcesIs this horse dead yet: NTLM Bottlenecks and the RPC runtime
© 2017 Microsoft