Kerberos was never broken, but it had blind spots. When Kerberos can’t be used, Windows falls back to NTLM, often in places teams don’t expect: segmented networks, remote clients, workgroups, and peer‑to‑peer scenarios. That fallback is one of the biggest blockers to fully disabling NTLM. In this deep‑dive session, hear directly from the team behind IAKerb and LocalKDC, two Kerberos extensions designed to close many of those gaps. We’ll break down where classic Kerberos fails, why NTLM gets pulled in, and how Windows now extends Kerberos to cover scenarios that previously had no secure alternative. We’ll walk through real authentication flows, concrete use cases, and lessons learned from bringing these features to life: what works, what breaks, and what to validate before you turn NTLM off. If you care about identity security, NTLM deprecation, or how Kerberos actually behaves in modern Windows environments, this session will change how you think about Windows authentication.