Designed with a wealth of functionality and convenience, ATEN's new Thunderbolt™ 2 Sharing Switch takes your Thunderbolt setup to the next level. Now through September 15, 2017, Experts Exchange members get 30% off the US7220 on the ATEN USA eShop using promo code EXPERTS30.
COURSE of the MONTH
10 days, 17 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Kerberos and NTLM
Posted on 2013-01-02
Hi
We are using Windows 2003 AD.
We have many different applications, and some need to authenticate to AD using either Kerberos or NTLM.
Could someone please clear a few things up for me -
i. Which one is the 'preferred' authentication mechanism - Kerboros or NTLM?
ii. MS products such as Outlook, SharePoint etc - which one do they use?
iii. If I used a product like Wireshark for example, is it possible to see which authentication mechanism was being used?
iv. Are there any benefits to using Kerberos over NTLM (or vice-versa)
v. Which one is the 'newer' protocol?
vi. Can their ports be changed?
We are using Windows 2003 AD.
We have many different applications, and some need to authenticate to AD using either Kerberos or NTLM.
Could someone please clear a few things up for me -
i. Which one is the 'preferred' authentication mechanism - Kerboros or NTLM?
ii. MS products such as Outlook, SharePoint etc - which one do they use?
iii. If I used a product like Wireshark for example, is it possible to see which authentication mechanism was being used?
iv. Are there any benefits to using Kerberos over NTLM (or vice-versa)
v. Which one is the 'newer' protocol?
vi. Can their ports be changed?
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2
3 Comments
Kerberos is preferred and default
They should be using kerberos for AD authentication
You can use a network sniffer but take a look at these two articles from the askds team...not easy to audit NTLM. It should also help with your questions.
http://blogs.technet.com/b/askds/archive/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7.aspx
http://blogs.technet.com/b/askds/archive/2012/03/29/3478646.aspx
Thanks
Mike
They should be using kerberos for AD authentication
You can use a network sniffer but take a look at these two articles from the askds team...not easy to audit NTLM. It should also help with your questions.
http://blogs.technet.com/b/askds/archive/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7.aspx
http://blogs.technet.com/b/askds/archive/2012/03/29/3478646.aspx
Thanks
Mike
Hello Mike
Thanks for the info...so if we had an application that used NTLM to authenticate, what are the downsides of that for us? Should we push the vendors to utilise Kerberos?
Or are there any advantages of NTLM over Kerberos?
Thanks for the info...so if we had an application that used NTLM to authenticate, what are the downsides of that for us? Should we push the vendors to utilise Kerberos?
Or are there any advantages of NTLM over Kerberos?
I can't think of NTLM advantages. Yes push vendors to use Kerberos and if they can't ask them why not. They have had plenty of time...the blog below is from 2006
http://blogs.technet.com/b/authentication/archive/2006/04/07/ntlm-s-time-has-passed.aspx
Thanks
Mike
http://blogs.technet.com/b/authentication/archive/2006/04/07/ntlm-s-time-has-passed.aspx
Thanks
Mike
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP, Windows Server…
- Ransomware
- Experts Exchange
- Windows XP
- Windows OS
- Windows Server 2008
- Windows Server 2003, Security
This Micro Tutorial hows how you can integrate Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease.
The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month10 days, 17 hours left to enroll
770 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.