explain the key differences between NTLM and Kerberos

Hi royalcyber,

kerberos VS NTLM:

Windows XP, Windows 2000 and Windows 2003 servers use Kerberos as default authentication protocol, when they are member of Active Directory.

Earlier versions of Windows used NTLM or NTLM2 authentication.

Kerberos is stronger authentication protocol than NTLM.

-kbITguru

Along with the above comments, another great thing about kerberos is security.  

With NTLM, your password hash is sent all over the network for each resource you connect to.  So if you connect to 10 servers, your password hash will be going across the network 10 times.  Although the Hash is asymetrically encrypted and isn't actually your password, it can still be sniffed and brute force attacked.  With enough time, weak passwords can be cracked.

With Kerberos, the hash is really only sent once during logon.  After that you just send kerberos tickets across the network that contain nothing more than a time stamp.  So if you connect to 10 servers, your password hash only went across the network once.   Thus the sniffing potential is greatly reduced.

It says ; to use Kerberos; must configure a SPN for the domain user account

what is SPN ?

thanks for all your help!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1

SPN is the service principal name.  Windows itself will register the HOST type SPN's.  To register SPN's manually you need to use the SETSPN utility.

See these:
http://www.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsAServicePrincipalNameSPN.html
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbd_int_brkw.mspx?mfr=true