New authentication methods are coming to Windows 11

2 new authentication methods are coming to Windows 11.

by Flavius Floare

Flavius Floare

Flavius is a writer and a media content producer with a particular interest in technology, gaming, media, film and storytelling. He enjoys spending time in nature and at… read more

windows 11 authentication methods

Microsoft is coming with new authentication methods for Windows 11, according to the Redmond-based tech giant’s latest blog post. The new authentication methods will be far less dependent on NT LAN Manager (NTLM) technologies and will use the reliability and flexibility of Kerberos technologies.

The 2 new authentication methods are:

  • Initial and Pass-Through Authentication Using Kerberos (IAKerb)
  • local Key Distribution Center (KDC)

Plus, the Redmond-based tech giant is improving the NTLM auditing and management functionality, but not with the goal of continuing to use it. The target is to improve it enough to give organizations the ability to control it better, thus removing it.

We are also introducing improved NTLM auditing and management functionality to give your organization more insight into your NTLM usage and better control for removing it. Our end goal is eliminating the need to use NTLM at all to help improve the security bar of authentication for all Windows users.


Windows 11 new authentication methods: All the details

According to Microsoft, IAKerb will be used to allow clients to authenticate with Kerberos in more diverse network topologies. On the other hand, KDC adds Kerberos support to local accounts.

The Redmond-based tech giant explains in detail how the 2 new authentication methods work on Windows 11, as you can read below.

IAKerb is a public extension to the industry standard Kerberos protocol that allows a client without line-of-sight to a Domain Controller to authenticate through a server that does have line-of-sight. This works through the Negotiate authentication extension and allows the Windows authentication stack to proxy Kerberos messages through the server on behalf of the client. IAKerb relies on the cryptographic security guarantees of Kerberos to protect the messages in transit through the server to prevent replay or relay attacks. This type of proxy is useful in firewall segmented environments or remote access scenarios.


The local KDC for Kerberos is built on top of the local machine’s Security Account Manager so remote authentication of local user accounts can be done using Kerberos. This leverages IAKerb to allow Windows to pass Kerberos messages between remote local machines without having to add support for other enterprise services like DNS, netlogon, or DCLocator. IAKerb also does not require us to open new ports on the remote machine to accept Kerberos messages.


The Redmond-based tech giant is bent on limiting the usage of NTLM protocols and the company has a solution for it. windows 11 authentication methods

In addition to expanding Kerberos scenario coverage, we are also fixing hard-coded instances of NTLM built into existing Windows components. We are shifting these components to use the Negotiate protocol so that Kerberos can be used instead of NTLM. By moving to Negotiate, these services will be able to take advantage of IAKerb and LocalKDC for both local and domain accounts.


Another important point to consider is the fact that Microsoft solely improves the management of NTLM protocols, with the goal of ultimately removing it from Windows 11.

Reducing the use of NTLM will ultimately culminate in it being disabled in Windows 11. We are taking a data-driven approach and monitoring reductions in NTLM usage to determine when it will be safe to disable.


The Redmond-based tech giant prepared a short guide for companies and customers on how to reduce the usage of NTLM authentication protocols.

More Reading

Post navigation

Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *