Kerberos, NTLM, and authentication packages

How Windows chooses and uses protocol packages to validate identities.

Official Microsoft docs

Closest official references related to this topic on Microsoft Learn.

Microsoft Learn

Kerberos authentication overview

learn.microsoft.com

Microsoft Learn

NTLM user authentication

learn.microsoft.com

Many real-world sign-in and remote access behaviors depend on whether Windows is using Kerberos, NTLM, or another security support provider.

Authentication packages are pluggable protocol engines. Windows negotiates or selects the one that matches the identity and environment.

1The LSA and SSPI framework expose a common path for applications and services.
2Kerberos is preferred for domain scenarios with ticket-based authentication.
3NTLM remains important for compatibility, fallback, and some local or legacy cases.

SSPI: Security Support Provider Interface, the API layer for Windows integrated authentication.
Kerberos ticket: Credential material proving identity and access within a Kerberos realm.

Once domain logon succeeds, Kerberos tickets can be reused so the user does not need to retype credentials for every server access.

Kerberos and NTLM are not interchangeable labels. They imply different flows, caching behavior, and trust assumptions.

Ranked from your current topic, related links, branch depth, and any active guided path.

intermediate

SIDs, privileges, impersonation, and the identity payload every process carries.

Next step in your guided path

intermediate

The protected security process and data stores behind local accounts and policy decisions.

How Windows moves data through the TCP/IP stack, filtering layers, and endpoint APIs.