Re: IPSEC- Kerberos vs Certificates

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 06/29/04

• Next message: Scott Harding - MS MVP: "Re: Domain & NTFS Security"
• Previous message: Joe: "CDROM AUTORUN"
• In reply to: fnstrat2: "IPSEC- Kerberos vs Certificates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 29 Jun 2004 20:26:43 +0200

Hi,

as you said Kerberos is quick. As far as security goes it is very reliable.
The down side is, you can only use Kerberos inside domain. If you want to
set IPSec between two PCs that are not part of domain you can't use
Kerberos. So here you have an option to use shared secret (not a good
security choice) and certificates (preferred in case you can't use
Kerberos)...

If you want to know what is more secure Kerberos vs. certificates it's
certificates, but still Kerberos is very secure protocol...

I hope this helps you out,

Mike

"fnstrat2" <fnstrat2@discussions.microsoft.com> wrote in message
news:5C650120-4625-4A9A-8542-6BC871A2B6AF@microsoft.com...
> When deploying an IPSEC policy through Group Policy you can use one of
> three options. Kerberos(AD) a certificate server, or a shared secret.
> Kerberos seems to be the quickest and easiest way as far as managing and
> troubleshooting goes. Does anyone have any input into the pro's and con's
> between using kerberos or a CA?

• Next message: Scott Harding - MS MVP: "Re: Domain & NTFS Security"
• Previous message: Joe: "CDROM AUTORUN"
• In reply to: fnstrat2: "IPSEC- Kerberos vs Certificates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Authenticating on kerberos via certifates ... Is this web front end of client workstation auth? ... I have a working authentication configure system that uses Kerberos ... on how to authenticate on kerberos through certificates like X.509. ... (comp.protocols.kerberos) Re: IPSec ... Non-domain computers cannot do any kind of Kerberos communications at all. ... I've been told that creating a IPSec policy and configuring that IPSec policy in some servers in domain using only AH (Authentication Header) using Kerberos authentication would work for comunication witrh XP machines not members of the domain. ... Your only two choices are shared secret or certificates ... (microsoft.public.windows.server.security) Re: IPSec policies with Kerberos only?? ... by just using Kerberos you can run IPSec without getting your hands ... Kerberos won't work for "foreign" domain machines otherwise. ... Certificates are largely for machines that aren't in the same domain/forest ... (microsoft.public.windows.server.general) kerberos certificate ... i think you are mixing up X509 Certificates and Kerberos Tickets... ... Dominick Baier - DevelopMentor ... (microsoft.public.dotnet.framework.webservices) Re: IPSec policies with Kerberos only?? ... by just using Kerberos you can run IPSec without getting your hands ... Kerberos won't work for "foreign" domain machines otherwise. ... Certificates are largely for machines that aren't in the same domain/forest ... (microsoft.public.windows.server.active_directory)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint