Which one to use: NTLM or Kerberos in SharePoint 2013?

Dear EE experts,

We would like to ask for tech support on which one to use: NTLM or Kerberos in SharePoint 2013.

Currently, we're setting up the SP2013 and we stopped at NTLM & Kerberos part, we want to ask first experts out there which one would you prefer. Because if we select NTLM, then it would be just a normal and common setup. But if we choose Kerberos, the problem is, we have no idea and experience in working using Kerberos...

- If we choose NTLM and we set Kerberos for some site application in Central Administration, that's possible right?

- Currently, we have external users who needs to access our site, they're being asked for their UN & PW, because of the Public IP site that we let them use, (http://xx.xxx.xx.xx:1111/products), and their PW expires every 41 days, because we set it from their account. Some are local accounts and some are using domain account. And the problem is, they have no idea that their password is about to expire already, how they will know if their password is expired already, the system just rejects them to login, and they will asked us to reset their password. So we want to change that to a simple login page, that will have a connection to SQL db if possible, and will alert the users if their password is about to expire.

- We've test to change from one of our site in CA, from NTLM to Kerberos, then refresh the site, it asked for UN & PW already. If we want to have our own Custom Login Page, where can we save that page?

That would be all for now, as some of our further questions are beyond our subject already... We'll just open a new question for that.

Thank you and hope to hear soon...
Stiebel EltronAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
NTLM security is not, well, secure any more.  RC4 has multiple attacks (about ten known ones, plus who knows how many the government has).  Per Wikipedia -

Microsoft no longer recommends NTLM in applications:

"Implementers should be aware that NTLM does not support any recent cryptographic methods, such as AES or SHA-256. It uses cyclic redundancy check (CRC) or message digest algorithms (RFC1321) for integrity, and it uses RC4 for encryption.

Deriving a key from a password is as specified in RFC1320 and FIPS46-2. Therefore, applications are generally advised not to use NTLM."
Stiebel EltronAuthor Commented:
Thank you for your response Dr. Klahn,

From your response, it's obvious that you prefer Kerberos authentication rather than NTLM.
We know that this is painful way, and we don't have any experience with Kerberos Authentication, is there any guidance that you could give in regards to using Kerberos in SharePoint 2013?

Thank you and hope to hear again...
Dr. KlahnPrincipal Software EngineerCommented:
Sorry about this, but I've exhausted my knowledge with "NTLM is not secure."  It is a thing that I have run into occasionally when researching other issues.

If there is no WiFi access to your LAN, and no access to and from the internet, and no VPNs attaching to your LAN, and it's used only for TCP/IP traffic between computers (no video conferencing, no VOIP phones, no security cameras, etc.) then NTLM might be good enough.  But at some point Microsoft is probably going to say, "That's it, we're dropping support for it in all new products."

Perhaps if you make another posting asking for help on Kerberos?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Stiebel EltronAuthor Commented:
Thank you for your kind explanation...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.