1 Introduction

The NT LAN Manager (NTLM) Authentication Protocol is used for authentication between clients and servers.

These extensions provide additional capability for authorization information including group memberships, interactive logon information, and message integrity, as well as constrained delegation and encryption supported by Kerberos principals.

Kerberos authentication [MS-KILE] replaces NTLM as the preferred authentication protocol.<1> However, NTLM can be used when the Kerberos Protocol Extensions (KILE) do not work, such as in the following scenarios.

  • One of the machines is not Kerberos-capable.

  • The server is not joined to a domain.

  • The KILE configuration is not set up correctly.

  • The implementation chooses to directly use NLMP.

Sections 1.5, 1.8, 1.9, 2, and 3 of this specification are normative. All other sections and examples in this specification are informative.