Re: Authentication NTLM vs Kerberos

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 08/19/04 

Date: Thu, 19 Aug 2004 14:39:11 +0200

Hi Jose,

For security reasons you should use Kerberos (though NTLM v2 is not all that
bad either). Working with Kerberos is no more work then working with NTLM.
Only thing you have to pay attention to is to have your server's time
synchronized with outside reliable time source. All domain members then
synchronize with domain controller's time.
If clients time is for some reason off for more then 5 minutes client won't
be able to logon to domain.

Old clients (Windows 98, Windows NT, ...) will still be able to logon to
domain (as much as they did before), by falling back to NTLM (NTLM v.2 if
possible)...

I hope this helps,

Mike

"Jose Troncoso" <jtroncoso@bpd.com.do> wrote in message
news:OE7BEbehEHA.1156@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> We've just migrated our domains from NT 4.0 to Windows 2003 but are still
> emulating NTLM authentication (via registry). We've tricked
authentication
> on some of the computers that are not in our domain by creating local
> accounts in the computers that are not in the domain and domain accounts
> (same username, same password).
>
> After we migrated to Windows 2003, we're in the dilema if we stop
emulating
> NTLM, this tricky authentication won't work, because the authentication
will
> be username@somedomain.com against username, password.
>
> Is there a tricky authentication mode in Kerberos to maintain my 'old
tricky
> NTLM authentication' ?
>
> Your comments,
>
> Jose Troncoso
> Security Administrator
> Banco Popular Dominicano
>
>

Relevant Pages

  • RE: Correct Domain User/Pass/Domain credentials rejected
    ... Authentication" checked vs. unchecked is that if it's unchecked, ... use NTLM or Kerberos, and Kerberos usually ends up being the winner. ... you can force IIS to only use NTLM: ...
    (microsoft.public.inetserver.iis.security)
  • Re: AD Authentication
    ... My understanding is that if two machines are members of the same domain then they will use kerberos not LM, NTLM, or NTLMv2. ... I realize that some of the mmc snap ins and ie web browse will use NTLM authentication but when mapping a drive it should be using kerberos right? ...
    (microsoft.public.win2000.active_directory)
  • Re: Event log shows NTLM not Kerberos
    ... so this is for a network login. ... Authentication Package: NTLM ... Authentication Package NTLM not Kerberos? ...
    (microsoft.public.security)
  • RE: ADS Password Storage Protection
    ... In Windows it is LM or NT (sometimes called NTLM) hashes. ... NTLMv2 refers to the authenication protocol that exchanges the hash ... between the client and server authentication database. ...
    (Security-Basics)
  • Re: Integrated Windows Authentication Timeout?
    ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
Quantcast