Solved

explain the key differences between NTLM and Kerberos

Posted on 2007-11-21
5
6,661 Views
Last Modified: 2008-02-01
Can someone pls explain in simple words the  the key differences between NTLM and Kerberos in windows server 2003
0
Comment
Question by:royalcyber
5 Comments
 
LVL 6

Accepted Solution

by:
MorDrakka earned 500 total points
ID: 20326247
Hi,

Detailled explanation can be found here:

http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid45_gci1009961,00.html

Some advantages of Kerberos:

Faster authentication
Mutual authentication
Kerberos is an open standard
Support for authentication delegation
Support for the smart card logon feature

Hope this clarifies things.
M
0
 
LVL 1

Expert Comment

by:kbitguru
ID: 20326493
Hi royalcyber,

kerberos VS NTLM:

Windows XP, Windows 2000 and Windows 2003 servers use Kerberos as default authentication protocol, when they are member of Active Directory.

Earlier versions of Windows used NTLM or NTLM2 authentication.

Kerberos is stronger authentication protocol than NTLM.

-kbITguru
0
 
LVL 26

Expert Comment

by:Pber
ID: 20327806
Along with the above comments, another great thing about kerberos is security.  

With NTLM, your password hash is sent all over the network for each resource you connect to.  So if you connect to 10 servers, your password hash will be going across the network 10 times.  Although the Hash is asymetrically encrypted and isn't actually your password, it can still be sniffed and brute force attacked.  With enough time, weak passwords can be cracked.

With Kerberos, the hash is really only sent once during logon.  After that you just send kerberos tickets across the network that contain nothing more than a time stamp.  So if you connect to 10 servers, your password hash only went across the network once.   Thus the sniffing potential is greatly reduced.
0
 

Author Comment

by:royalcyber
ID: 20341821
It says ; to use Kerberos; must configure a SPN for the domain user account

what is SPN ?

thanks for all your help!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1
0
 
LVL 26

Expert Comment

by:Pber
ID: 20349618
SPN is the service principal name.  Windows itself will register the HOST type SPN's.  To register SPN's manually you need to use the SETSPN utility.

See these:
http://www.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsAServicePrincipalNameSPN.html
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbd_int_brkw.mspx?mfr=true
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Email missing from Outlook but still on Exchange server 6 87
how to check the account lockout counter? 6 67
need help with active directory 4 56
ticket bloat 3 48
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question