How NTLM Authentication Works?

Adrian Jenkins
Apr 26, 2024


The NTLM Authentication protocol is a challenge/response mechanism that proves to a server or a Domain Controller (DC) that the user knows the password associated with an account.NTLM authentication can be used for both domain and local accounts.

This authentication mechanism is session-based, meaning that the user is authenticated as long as the TCP session between the client and the server is maintained. In other words, for NTLM authentication to succeed, authentication messages must happen over the same TCP connection. If the TCP connection drops in the middle of the authentication process, then you would have to start the process all over again.

If we take a look at the definition of NTLM, we can see that it is comprised of three messages:


Read at: