kerberos

Microsoft’s decision to ship future Windows releases in a “Kerberos‑first” posture — effectively disabling network NTLM authentication by default — is one of the most consequential platform security changes in years, and it arrives with a deliberate, multi‑phase runway designed to give...

Microsoft's decision to ship Windows in a "secure-by-default" state by disabling NTLM (NT LAN Manager) authentication by default marks one of the most consequential shifts in Windows security policy in decades, and it will force enterprises to confront years of legacy dependencies or accelerate...

Microsoft has declared an end of the road for NTLM as a secure default: network NTLM authentication will be blocked by default in upcoming Windows client and server releases, replaced by Kerberos-first behavior and a multi-year migration plan that delivers auditing, compatibility tooling, and...

Microsoft’s move to flip NTLM off by default in preview builds is the latest signal that the long, gradual retirement of a three‑decade‑old authentication relic is now an operational priority — and it will force IT teams to confront years of technical debt, compatibility traps, and process gaps...

Microsoft is preparing to ship Windows in a “secure‑by‑default” state that blocks network NTLM authentication unless an administrator explicitly allows it — a staged, multi‑phase program that replaces default NTLM fallbacks with a Kerberos‑first approach while shipping new Kerberos capabilities...

Microsoft is moving Windows toward a “Kerberos-first” default by phasing out New Technology LAN Manager (NTLM) as the out‑of‑the‑box network authentication option and shipping new Kerberos capabilities and telemetry to give administrators time to discover and remediate legacy dependencies before...

Microsoft is preparing to ship Windows in a "secure-by-default" state that blocks network NTLM authentication unless an organization explicitly allows it — a phased, multi-year shift that replaces legacy NTLM with Kerberos-first authentication and introduces new Kerberos capabilities (IAKerb and...

Microsoft’s long-running allowance for NTLM-based authentication is finally being reworked into history: the company has laid out a phased plan to clamp down on Network NTLM and push Windows environments toward Kerberos-first authentication, a move that promises real security gains but will...

Microsoft has begun a staged hardening of Kerberos on Windows domain controllers: starting with security updates released on January 13, 2026, domain controllers will gain new telemetry and audit controls that identify weak Kerberos encryption usage, and Microsoft plans a phased default flip so...

The January 2026 Windows security update begins a staged, vendor-driven hardening of Kerberos by changing default Kerberos encryption behavior on domain controllers and introducing audit and enforcement mechanisms that phase out RC4-derived service tickets; at the same time, Microsoft and OEM...

Microsoft has quietly shipped a set of emergency, out‑of‑band updates to repair a Kerberos authentication regression that broke sign‑ins and remote access on domain controllers after the November 8, 2022 Patch Tuesday rollup — and administrators must install the fixes manually on every Domain...

Microsoft is flipping a decades‑old Kerberos default in Windows Server — and IT teams must treat it as an operational deadline, not a theoretical security tweak. Background / Overview Microsoft has announced a change to how the Kerberos Key Distribution Center (KDC) on Windows domain controllers...

Microsoft has set a firm deadline to end a decades‑long compatibility compromise: by mid‑2026 domain controllers running Windows Server 2008 and later will default to issuing AES‑SHA1 Kerberos session keys and RC4 will be disabled by default, forcing organizations to find and remediate remaining...

Microsoft’s plan to end RC4 as a Kerberos default marks a clear, overdue break with a decades‑old compatibility choice that has long weakened Active Directory security; by mid‑2026 domain controllers running Windows Server 2008 and later will default to issuing AES‑SHA1 session keys for Kerberos...

Microsoft’s long-standing accommodation for the RC4 cipher in Windows authentication is finally getting a firm end date: by mid‑2026 domain controllers (KDCs) running Windows Server 2008 and later will default to AES‑SHA1 session keys for Kerberos and RC4 will be disabled by default, leaving RC4...

Microsoft’s decision to flip a long-standing encryption default in Active Directory — moving Kerberos away from RC4 and toward AES-SHA1 by default — is the most consequential security change for Windows authentication in years, and it arrives after more than two decades of compatibility-first...

Microsoft’s decision to phase out the RC4 cipher from Active Directory authentication marks a decisive response to decades of risky backward compatibility — but it also forces a hard reckoning for enterprises that have long depended on legacy interoperability over cryptographic hygiene...

Amazon’s managed DataSync service now supports Kerberos authentication for SMB file locations, giving Windows-heavy environments a practical path away from NTLM and toward stronger, mutual authentication when moving on‑premises file shares to AWS for analytics, migration, or archive workflows...

Microsoft’s recent support guidance pulls two threads of its long-running authentication hardening effort into sharp relief: just-in-time administrator elevation on endpoints and aggressive Kerberos protocol tightening across Active Directory estates. Both moves are targeted at the same root...

Microsoft’s newest server release is already generating painful operational lessons: administrators who add a Windows Server 2025 domain controller into a mixed Active Directory environment containing older DCs can trigger widespread authentication breakage — machine account password rotations...