Microsoft has started rolling out long-awaited Kerberos protocol extensions — IAKerb and LocalKDC — to Windows 11 Insider Canary builds in June 2026. The two features close a critical authentication gap that has forced Windows to fall back to the legacy and less secure NTLM protocol whenever a domain controller is unreachable or blocked on the network. With these additions, the company now has a credible path to entirely disabling NTLM in Windows environments.

For years, enterprise administrators and security engineers have wrestled with the stubborn reality that Kerberos, the gold standard for Windows domain authentication, requires direct network connectivity to a domain controller. In segmented networks, branch offices, VPN scenarios, or after a firewall change, Kerberos often fails silently and Windows drops back to NTLM — an outdated challenge-response protocol that transmits password hashes and is vulnerable to pass-the-hash, brute force, and relay attacks.

Microsoft declared NTLM a deprecated protocol years ago, but the operating system kept it as a safety net. IAKerb and LocalKDC strip away that safety net by making Kerberos work over any transport and even operate without a live domain controller at all. The June 2026 Canary build finally delivers the plumbing to production Windows clients.

How IAKerb extends Kerberos beyond the traditional network

IAKerberos (IAKerb) is a Kerberos extension that tunnels Kerberos messages inside a standard HTTP request/response. Instead of sending Kerberos UDP or TCP packets directly to a domain controller, the client can wrap the KDC requests in TLS-encrypted HTTP traffic and route them through any HTTP proxy, load balancer, or cloud relay that the endpoint can reach. This means a laptop connected over a VPN that blocks traditional Kerberos ports can still obtain a service ticket by talking to a domain controller via a reverse proxy or an Azure App Proxy instance.

Behind the scenes, IAKerb introduces a new Kerberos transport type. The client-side Kerberos security support provider (SSP) detects when a direct DC connection is unavailable and instead posts the AS-REQ or TGS-REQ to a configured HTTPS endpoint. The server-side component receives the request, extracts the Kerberos message, forwards it to the actual DC, and returns the reply inside the HTTP response. All this is opaque to the application — no code changes needed.

LocalKDC: Kerberos without a domain controller

LocalKDC is a lightweight Key Distribution Center that runs directly on a Windows client. It caches a subset of the user’s Kerberos tickets and can issue short-lived service tickets for specific scenarios when the client is completely offline or blocked from every DC. Think of a field worker with a laptop in an airplane hangar, or a container host that needs to authenticate to local services without always phoning home. LocalKDC fills that gap.

Microsoft originally described LocalKDC as a companion to IAKerb at its 2023 IT Pro conference. The idea is that when IAKerb cannot reach a full DC through any HTTP proxy — and when there hasn’t been a fresh logon in hours — the local KDC can grant access to a small set of approved services based on cached credentials. This eliminates the final NTLM fallback and gives administrators a deterministic way to disable NTLM across a fleet.

How the two work together

In the new Canary build, Windows 11 negotiates authentication using the following preference order: first, native Kerberos over TCP/UDP to a domain controller; second, Kerberos over IAKerb through a configured HTTP proxy; third, Kerberos against the LocalKDC; and only if all three fail will the authentication stack consider NTLM — and even that can now be turned off with Group Policy. Enrollment is gated behind a feature flag that administrators can manage via MDM or local policy, so organizations can test the new flows before blocking NTLM permanently.

The IAKerb client is configured with a URL that points to the organization’s Kerberos relay. Microsoft ships a lightweight relay service built on ASP.NET Core that can run on-premises or in a cloud VM. The relay authenticates the user’s HTTP request using the same Kerberos credentials and then forwards the enclosed ticket request. Administrators can place the relay behind Azure Front Door or an internal reverse proxy to give internet-connected clients a secure path back to the corporate DC.

Real-world impact on authentication failures

Anyone who has spent a Monday morning troubleshooting a sudden spike in NTLM authentication after a weekend firewall change knows the pain. A server team tightens a rule, and suddenly a subset of users can’t map a network drive or authenticate to a web app because Kerberos can’t reach a DC, yet the users still get in — silently — over NTLM. The session succeeds, so the help desk doesn’t even notice until a compliance scan flags the NTLM traffic.

IAKerb fixes that by providing a fallback path that stays pure Kerberos. The security difference is profound. NTLM authentication exposes the user’s NT hash on the wire (v2 hashes improve secrecy, but relay attacks remain). IAKerb never exposes a hash — it only transmits encrypted ticket material that is worthless outside the current session. Audit logs also gain fidelity: every IAKerb transaction is recorded as a Kerberos authentication, giving SecOps teams a single authentication type to monitor.

NTLM disabling becomes practical

Microsoft’s long-term roadmap has targeted the complete removal of NTLM from Windows. Group Policy already contains the “Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers” setting, but enabling it often breaks legitimate applications that unknowingly depend on the fallback. With IAKerb and LocalKDC, an administrator can first audit NTLM usage, configure the IAKerb relay, push the LocalKDC feature, and then finally toggle the NTLM block without worrying about bricking field devices.

Early Insider testers report that the experience is seamless for common workloads like SMB file shares, Remote Desktop, and WinRM, provided the relay infrastructure is correctly sized. The LocalKDC beta ships with a 15-minute default ticket lifetime and only works for computer account authentication in this first release; user ticket caching is slated for a future build.

Performance and compatibility notes

Kerberos over HTTP adds an extra TLS handshake and proxy hop, so latency is marginally higher than native Kerberos. In Microsoft’s internal telemetry, a typical ticket-granting exchange takes about 30 milliseconds over native Kerberos and 80–120 milliseconds over IAKerb. For interactive logons, that’s invisible; for high-frequency service-to-service calls, administrators will want to keep native Kerberos reachable where possible and rely on IAKerb as a true fallback rather than the primary path.

The client and server components are already integrated into Windows Server 2025 and the identical code runs on Windows 11 24H2, but Microsoft waited until the June 2026 Canary build to expose the feature flags to insiders. The company plans a slow rollout: phase one (June-July 2026) enables IAKerb and LocalKDC for Canary insiders who opt in; phase two (August-September) expands to Dev and Beta channels; general availability is expected with the 24H2 Moment update in the second half of 2026.

Wider industry shift

The authentication industry has been moving toward token-based protocols like OAuth2 and FIDO for years, but inside a Windows domain, Kerberos remains the backbone of identity. Microsoft’s investment in IAKerb and LocalKDC demonstrates that Kerberos is not legacy — it is being modernized to fit cloud-native and zero-trust architectures. By allowing Kerberos to traverse arbitrary HTTP paths, the infrastructure can survive network changes that previously broke authentication.

This also benefits hybrid and Azure AD-joined machines. Today, when such devices fall back to NTLM because they cannot reach an on-premises DC, they violate the “no legacy authentication” policy many organizations have adopted. IAKerb can route Kerberos requests through Azure Arc agents or the Azure AD Application Proxy, bringing full Kerberos authentication to cloud-managed endpoints without a VPN.

What administrators need to do now

The first step is to inventory NTLM usage across the estate. Microsoft’s NTLM blocking guidance remains: turn on auditing, identify the services that still produce NTLM traffic, and migrate them to Kerberos or modern authentication. With the June 2026 build, IT teams can start building an IAKerb relay and test it with a pilot group. Microsoft has published reference architecture guidance for the relay service, including load balancing and TLS certificate requirements.

Group Policy templates for the feature are already present in the June 2026 Cumulative Update, so domain controllers don’t need an upgrade to support IAKerb from the client side. The relay service can be run on Windows Server 2022 or later. For LocalKDC, an additional schema update is required to replicate the cached ticket policy via Active Directory; that update will roll out with a future Windows Server Insider build.

The end of the NTLM era

When Microsoft first announced the deprecation of NTLM, many administrators laughed. They knew how many legacy apps, network configurations, and corner cases still depended on the protocol. IAKerb and LocalKDC are the concrete pieces that make deprecation real. For the first time, an enterprise can configure Windows to never send an NTLM challenge and still guarantee that authentication works from a coffee shop Wi-Fi, a locked-down DMZ, or an offline construction site.

There will be bumps. Some third-party applications intercept Kerberos tickets in ways that don’t expect the IAKerb envelope. Hardware devices like multifunction printers that speak only NTLM will need replacement or a proxy. But the direction is clear. Windows 11’s June 2026 Canary build marks the point where Kerberos finally sheds its network dependency and NTLM’s last excuse for existence disappears.

Insiders can enable the feature by joining the Windows Insider Canary channel and installing build 276xx (the exact build number will be announced in the flight bulletin). Microsoft is hosting a series of community calls and has opened a dedicated feedback hub category for IAKerb issues.