Microsoft Introduces New Kerberos Features to Help Replace NTLM in Windows 11

Microsoft is continuing its effort to reduce reliance on NTLM authentication in Windows. The company has announced new Kerberos-based capabilities that will arrive in upcoming Windows 11 client and server Insider builds, helping organizations move away from the legacy authentication protocol.

The new features are designed to cover scenarios that traditionally required NTLM. Microsoft says the additions will provide developers and IT administrators with more secure and consistent authentication methods while maintaining compatibility across a variety of environments.

The announcement follows Microsoft’s ongoing efforts to modernize Windows authentication and strengthen security through Kerberos-based technologies. Microsoft detailed the changes in a recent Windows Insider Preview blog post.

Microsoft introduces new Kerberos alternatives

To reduce NTLM dependency, Microsoft is introducing Initial and Pass-Through Authentication using Kerberos, known as IAKerb, along with Local Key Distribution Center, known as LocalKDC.

Both technologies are designed to enable Kerberos authentication in situations where NTLM has historically been required.

Microsoft says these additions will help organizations adopt a more modern authentication model while improving security and reducing reliance on older protocols.

IAKerb enables authentication without direct domain controller access

One of the most significant additions is IAKerb, which allows Kerberos authentication to function even when a client device cannot directly communicate with a domain controller.

Instead of requiring a direct connection, the target service can act as a proxy and relay authentication messages between the client and the domain controller.

This capability can be particularly useful in enterprise environments where domain controllers are not directly visible to client devices due to network architecture or security restrictions.

By enabling Kerberos in these scenarios, Microsoft hopes to eliminate another common reason organizations continue using NTLM.

LocalKDC brings Kerberos to local accounts

Microsoft is also introducing LocalKDC to extend Kerberos-based authentication to local account environments.

The feature is intended for standalone PCs, workgroup deployments, and other scenarios that traditionally relied on NTLM because they lacked domain-based Kerberos infrastructure.

LocalKDC allows organizations to use Kerberos authentication in a wider range of deployments, creating a more consistent authentication experience across Windows devices.

Together, IAKerb and LocalKDC are expected to significantly reduce NTLM usage in both enterprise and local environments.

Insider preview arrives soon

The new capabilities will first appear in an upcoming Canary Channel build of the Windows Insider Program.

Microsoft says IAKerb will be enabled by default in the preview release, allowing organizations to begin testing immediately.

LocalKDC will remain disabled by default during the preview period. Users who want to test the feature will be able to enable it manually through Windows Registry keys.

The company also plans to add support for management tools and Group Policy settings as the features move closer to general availability.

Part of Microsoft’s long-term NTLM retirement plan

Microsoft has spent several years working toward reducing NTLM usage across Windows. The company previously launched Kerberos hardening initiatives and warned administrators about authentication changes that could impact enterprise login processes.

The introduction of IAKerb and LocalKDC addresses several remaining use cases where NTLM has continued to be necessary.

Microsoft is encouraging customers who still rely on NTLM to begin testing and validating these new capabilities as soon as they become available. Early testing will help organizations prepare for future authentication changes and identify potential compatibility issues before broader deployment.

Although Microsoft has not announced a date for NTLM’s complete removal, the latest announcement represents another major step toward a Kerberos-first authentication model across Windows.