From: Paul Leach (paulle_at_WINDOWS.MICROSOFT.COM)
Date: Sat, 11 Sep 2004 13:33:14 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> -----Original Message-----
> From: Windows NTBugtraq Mailing List
> [mailto:NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM] On Behalf Of David Schenz
> Sent: Friday, September 10, 2004 9:37 AM
> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Subject: Re: kerberos!
> Two important points need to be remembered here: first, in order to
> a domain in the first place, NTLMv2 is still necessary (as the joining
> member is not a part of the Kerberos realm),
[Paul Leach] A small nit: this is not true; Kerberos is used to join
machines to the domain -- the _user_ has a domain account that can be
authenticated with Kerberos, even though the machine does not.
> and second, windows
> requires NTLMv2 to authenticate when opening a cif share via ip
> Authentication falls back to NTLMv2 if Kerberos can't meet the
> So yes, you're certainly right in that it is less secure.
> as currently designed, fallback to NTLMv2 is still necessary.
[Paul Leach] Actually, even if fallback to NTLM were never necessary,
there are a large number of protocols in Windows, primarily ones for
remote administration, that simply do not support Kerberos; they
explicitly specify NTLM. It is for this reason that NTLM is not disabled
by default. It is our intent to remove all such explicit specification
of NTLM by anything shipped with Windows in Longhorn.
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.