Authentication Protocols

Windows 2000 supports several protocols for verifying the identities of users who claim to have accounts on the system. These include protocols for authenticating dial-up connections and protocols for authenticating external users who are trying to connect to the network over the Internet. However, there are only two choices for network authentication within and between Windows 2000 domains:

Kerberos v5 Protocol    The Kerberos v5 authentication protocol is the default for authentication of users who are logging on to domain accounts from computers that are running Windows 2000.

NTLM Protocol    The Windows NTLM protocol was the default for authentication in Microsoft® Windows NT® version 4.0. It is retained in Windows 2000 for compatibility with clients and servers that are running Windows NT version 4.0 and earlier. It is also used to authenticate logons to stand-alone computers that are running Windows 2000.

The Kerberos protocol is the protocol of choice in Windows 2000, when there is a choice. Computers with Microsoft® Windows 3.11, Microsoft® Windows® 95, Microsoft® Windows® 98, or Windows NT 4.0 must use the NTLM protocol for network authentication in Windows 2000 domains. Computers with Windows 2000 use NTLM when they are authenticating to servers that are running Windows NT 4.0 and when they are requesting access to resources in Windows NT 4.0 domains.