7,023 questions
Thanks for posting your question in the Microsoft Q&A forum.
I hope this article can help you:
Kerberos authentication vs NTLM
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 51%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Adol
0
Reputation points
Sometimes, the web site user write "Pass the Hash does not work for Kerberos authentication on Active Directory".
However, in Kerberos authentication, pre-authentication data is sent from the domain controller in ERR-PREAUTH-REQUIRED, and the pre-authentication data is encrypted with a password hash on the client in AS_REQ, and the domain controller also check the data with a password hash.
Considering this, I think that encrypting data from the server using password hash and verifying it on the server is no different from NTLM authentication.
Although there are sites that mention that Pass the Hash cannot be used with Kerberos authentication, I could not find a site that specifically explains why.
If anyone knows the reason for this, please let me know.
Windows for business Windows Client for IT Pros Directory services Active Directory
Windows for business Windows Server Devices and deployment Configure application groups
1 answer
Sort by: Most helpful
-
Vahid Ghafarpour 23,385 Reputation points Volunteer Moderator2023-11-19T07:37:29.73+00:00 -
Adol 0 Reputation points
2023-11-19T09:45:10.61+00:00 Hi Vahid,
Thank you for your response.
The article is written as follows.
(Note: The NT hash is stored and retrievable from the Kerberos TGT, as well, except on the latest Windows OS versions.)
I cannot understand the means. On latest Windows OS does not store the NT hash?
Sign in to comment -