NTLMv2 versus Kerberos

haroldn705
haroldn705 used Ask the Experts™
on
Hi AD experts,

I'm trying to research a question, but was wondering what people's actually experience and take on this was...

From what I understand NLTM (both v1 and v2) are outdated authentication protocols are they not? MS have been using Kerberos since AD came into power?

We are working with a third party on authentication mechanisms, they are looking at NTML v2  and Kerberos, whereas I can't understand why, surely Kerberos is better, or does NTLM v2 have some advantages over Kerberos?

Finally - within an AD 2003 environment, can NTLMv2 still actually work?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
We had a nice discussion on this, over this thread:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23132123.html

LMhash, should not exist.

Some third party apps still use NTLMhash.

kerberos is used for domain shares and authentication. Kerberos is default.
NTLM is typically used for single sign-on on intranets, but is being replaced by Kerberos and it is the default authenticating protocol.

Author

Commented:
Thanks guys...so kerberos would be preferred over any version of ntlm (whether its ntlm version1 or ntlm version2).
Is kerberos actually more secure and more stable than ntlm?
Top Expert 2013
Commented:
Yes it is more secure there are other benefits for kerberos:

Faster
Supports smart cards natively
It's an open standard.
Symmetric and Asymmetric cryptography

There are others that I can't think of

Also if you have an hour or so and want to see a good presentation on Kerberos check out Mark Minasi from TechEd in 2009.  

http://www.msteched.com/2009/Europe/SIA401

***and thanks to Microsoft for making the teched presentations free for all now***

Thanks

Mike

Commented:
It's not only preferred, after the download and install of SP2 for 2003 server, it becomes default. The only reason you might want backwards compatibility to NTLM is for legacy OS's or printers or some legacy software.

I like to look at Kerberos as a sort of PKI, where it uses Certificate Authority (meaning a cert server), to authenticate and provide an access token. It is a third party that is used to verify access.

It is almost impossible to hack, if you use strong passwords. Unlike its predicessors, you can't hack one charactor at a time, nor does it convert charactors into large case. There is also no null hashes.
NTLM: Authentication is the well-known and loved challenge-response authentication mechanism, using NTLM means that you really have no special configuration issues. As Microsoft likes to say, “It just works.”

Kerberos: It's complex ticket-based authentication mechanism that authenticates the client to the server and authenticates the server to the client. While Kerberos is more secure, it can be a bit challenging to set up properly.
Win 2003 with the latest SP can be configured to use either NTLM or Kerberos . Well, besides being more secure, Kerberos has two key advantages that make it worth consideration.

1. Performance - Kerberos caches information about the client after authentication. This means that it can perform better than NTLM particularly in large farm environments.

2. Delegation - Kerberos can delegate the client credentials from the front-end web server to other back-end servers like SQL Server.

All-in-all, Kerberos is a superior authentication mechanism and should be your first choice

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial