Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

explain the key differences between NTLM and Kerberos

Posted on 2007-11-21
5
Medium Priority
?
6,669 Views
Last Modified: 2008-02-01
Can someone pls explain in simple words the  the key differences between NTLM and Kerberos in windows server 2003
0
Comment
Question by:royalcyber
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 6

Accepted Solution

by:
MorDrakka earned 1500 total points
ID: 20326247
Hi,

Detailled explanation can be found here:

http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid45_gci1009961,00.html

Some advantages of Kerberos:

Faster authentication
Mutual authentication
Kerberos is an open standard
Support for authentication delegation
Support for the smart card logon feature

Hope this clarifies things.
M
0
 
LVL 1

Expert Comment

by:kbitguru
ID: 20326493
Hi royalcyber,

kerberos VS NTLM:

Windows XP, Windows 2000 and Windows 2003 servers use Kerberos as default authentication protocol, when they are member of Active Directory.

Earlier versions of Windows used NTLM or NTLM2 authentication.

Kerberos is stronger authentication protocol than NTLM.

-kbITguru
0
 
LVL 26

Expert Comment

by:Pber
ID: 20327806
Along with the above comments, another great thing about kerberos is security.  

With NTLM, your password hash is sent all over the network for each resource you connect to.  So if you connect to 10 servers, your password hash will be going across the network 10 times.  Although the Hash is asymetrically encrypted and isn't actually your password, it can still be sniffed and brute force attacked.  With enough time, weak passwords can be cracked.

With Kerberos, the hash is really only sent once during logon.  After that you just send kerberos tickets across the network that contain nothing more than a time stamp.  So if you connect to 10 servers, your password hash only went across the network once.   Thus the sniffing potential is greatly reduced.
0
 

Author Comment

by:royalcyber
ID: 20341821
It says ; to use Kerberos; must configure a SPN for the domain user account

what is SPN ?

thanks for all your help!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1
0
 
LVL 26

Expert Comment

by:Pber
ID: 20349618
SPN is the service principal name.  Windows itself will register the HOST type SPN's.  To register SPN's manually you need to use the SETSPN utility.

See these:
http://www.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsAServicePrincipalNameSPN.html
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbd_int_brkw.mspx?mfr=true
0

Featured Post

What’s Wrong with Your Cloud Strategy ?

Even as many CIOs are embracing a cloud-first strategy, the reality is that moving to the cloud is a lengthy process and the end-state is likely to be a blend of multiple clouds—public and private. Learn why multicloud solutions matter in this webinar by Nimble Storage.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question