Solved

Kerberos and NTLM

Posted on 2013-01-02
3
647 Views
Last Modified: 2013-03-23
Hi

We are using Windows 2003 AD.

We have many different applications, and some need to authenticate to AD using either Kerberos or NTLM.

Could someone please clear a few things up for me -

i. Which one is the 'preferred' authentication mechanism - Kerboros or NTLM?

ii. MS products such as Outlook, SharePoint etc - which one do they use?

iii. If I used a product like Wireshark for example, is it possible to see which authentication mechanism was being used?

iv. Are there any benefits to using Kerberos over NTLM (or vice-versa)

v. Which one is the 'newer' protocol?

vi. Can their ports be changed?
0
Comment
Question by:redman20111
  • 2
3 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 38736233
Kerberos is preferred and default

They should be using kerberos for AD authentication

You can use a network sniffer but take a look at these two articles from the askds team...not easy to audit NTLM.  It should also help with your questions.

http://blogs.technet.com/b/askds/archive/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7.aspx

http://blogs.technet.com/b/askds/archive/2012/03/29/3478646.aspx

Thanks

Mike
0
 

Author Comment

by:redman20111
ID: 38736700
Hello Mike

Thanks for the info...so if we had an application that used NTLM to authenticate, what are the downsides of that for us? Should we push the vendors to utilise Kerberos?

Or are there any advantages of NTLM over Kerberos?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38736841
I can't think of NTLM advantages.   Yes push vendors to use Kerberos and if they can't ask them why not.   They have had plenty of time...the blog below is from 2006

http://blogs.technet.com/b/authentication/archive/2006/04/07/ntlm-s-time-has-passed.aspx


Thanks

Mike
0

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now