Kerberos provides several advantages over NTLM:
– More secure: No password stored locally or sent over the net.
– Best performance: improved performance over NTLM authentication.
– Delegation support: Servers can impersonate clients and use the client’s security context to access a resource.
– Simpler trust management: Avoids the need to have p2p trust relationships on multiple domains environment.
– Supports MFA (Multi Factor Authentication)
NTLMv1 hashes could be cracked in seconds with today’s computing since they are always the same length and are not salted.
NTLMv2 is a little better, since it variable length and salted hash, but not that much better. Even though hash it`s salted before it`s sent, it`s saved unsalted in a machine’s memory.
And off course, when we talk about NTLM, we talk about a challenge/response mechanism, which exposes its password to offline cracking when responding to the challenge.
What are the Kerberos dependencies?
Both the client and the server need to be running W2k or latter versions and be on the same, or trusted domain.
A SPN needs to exist in the AD for the domain account in use to run the service in which the client is authenticating.
What is NTLM?
NTLM is an authentication protocol. It was the default protocol used in old windows versions, but it’s still used today. If for any reason Kerberos fails, NTLM will be used instead.
NTLM has a challenge/response mechanism.
What is Kerberos?
Kerberos is an authentication protocol. It’s the default authentication protocol on Windows versions above W2k, replacing the NTLM authentication protocol.
Database Blog 