www.it-connect.fr
Microsoft Brings IAKerb and LocalKDC Preview Closer to NTLM’s End on Windows
For several years, Microsoft has wanted to move away from the NTLM protocol on Windows in favor of Kerberos. At its Build 2026 event, Microsoft announced the upcoming preview release of two components designed to help make that happen: IAKerb and LocalKDC.
Microsoft has had a hard time eliminating NTLM from Windows. The topic keeps coming back into the spotlight and has dragged on for years, proof that NTLM is deeply rooted in how Windows works.
To reach that goal, Microsoft plans to rely on two new components for Windows and Windows Server: IAKerb and LocalKDC. Have you heard those names before? It’s possible, Microsoft already talked about them in October 2023.
Two and a half years later, we are getting closer to phase 2 of Microsoft’s NTLM end-of-life roadmap announced in February 2026, where these two components are set to enter the picture. Phase 1 has been in place since 2025 with the addition of new auditing capabilities to identify NTLM connections.
IAKerb and LocalKDC: the combination to eliminate NTLM
Microsoft will introduce two components to Windows designed to extend the use of Kerberos in scenarios that historically ended up falling back to the NTLM protocol:
- IAKerb (Initial and pass-through Authentication for Kerberos)
This feature allows the target service to act as a proxy for Kerberos message exchanges. It is especially useful when the client can reach the application server but does not have direct network connectivity to the domain controller (DC).
It is an ideal solution for segmented network topologies, remote or cloud-connected access, and architectures where communication paths to DCs are restricted.
"This is important because reducing the use of NTLM for enterprise identities helps strengthen defenses against credential theft and relay attack vectors, including forms of lateral movement that previously relied on NTLM fallback.", Microsoft explains.
- LocalKDC
This is a local implementation of a Key Distribution Center (KDC), the service used by Active Directory domain controllers, but built directly into Windows.
This is necessary because, until now, authentication with a local account across multiple machines depended on NTLM. LocalKDC fills that gap by allowing Windows to use Kerberos mechanisms for local identities (that is, identities that do not belong to a domain).
This operating mode targets workgroup environments or administration and resource access scenarios involving local identities.
What you need to understand: Windows needs these two components to reduce its dependence on NTLM while still being able to use Kerberos for authentication scenarios encountered in enterprise and local environments.
These new features will arrive by the end of the month in public evaluation builds available to Windows Insiders through the Canary channel.
Configuring IAKerb and LocalKDC
Although this probably does not reflect the final configuration, Microsoft has provided instructions for configuring IAKerb and LocalKDC in this public preview.
In practice, the status will be as follows:
- IAKerb will be enabled by default.
- LocalKDC will be disabled by default.
- Both features will be configurable through registry keys (the supported values for this preview are
DisableIAKerbandDisableLocalKDC).
No GPO, no Intune settings for now. Microsoft will add these settings later, once the features are more mature.
For now, enterprises can use this preview to test these future authentication mechanisms on a test machine. It is a good opportunity to see whether NTLM fallback is still happening (and to understand why) in order to prepare for what comes next…
According to Microsoft’s roadmap, which I have included below, phase 3 is when Microsoft plans to disable NTLM by default on Windows and Windows Server. This will be coordinated with the release of the next version of Windows Server, likely at the end of 2027.
Find Microsoft’s official announcement on this page.
