The NT LAN Manager (NTLM) Authentication Protocol is used in Windows for authentication between clients and servers.
Starting with Windows 2000 Server operating system and continuing with subsequent versions of the operating system according to the applicability list in section 7, Kerberos authentication [MS-KILE] replaces NTLM as the preferred authentication protocol. These extensions provide additional capability for authorization information including group memberships, interactive logon information and integrity levels, as well as constrained delegation and encryption supported by Kerberos principals.
However, NTLM can be used when the Kerberos Protocol Extensions (KILE) do not work, such as in the following scenarios.
One of the machines is not Kerberos-capable.
The server is not joined to a domain.
The KILE configuration is not set up correctly.
The implementation chooses to directly use NLMP.
Sections 1.8, 2, and 3 of this specification are normative and can contain the terms MAY, SHOULD, MUST, MUST NOT, and SHOULD NOT as defined in RFC 2119. Sections 1.5 and 1.9 are also normative but cannot contain those terms. All other sections and examples in this specification are informative.