Which one to use: NTLM or Kerberos in SharePoint 2013?

Dear EE experts,

We would like to ask for tech support on which one to use: NTLM or Kerberos in SharePoint 2013.

Currently, we're setting up the SP2013 and we stopped at NTLM & Kerberos part, we want to ask first experts out there which one would you prefer. Because if we select NTLM, then it would be just a normal and common setup. But if we choose Kerberos, the problem is, we have no idea and experience in working using Kerberos...

- If we choose NTLM and we set Kerberos for some site application in Central Administration, that's possible right?

- Currently, we have external users who needs to access our site, they're being asked for their UN & PW, because of the Public IP site that we let them use, (http://xx.xxx.xx.xx:1111/products), and their PW expires every 41 days, because we set it from their account. Some are local accounts and some are using domain account. And the problem is, they have no idea that their password is about to expire already, how they will know if their password is expired already, the system just rejects them to login, and they will asked us to reset their password. So we want to change that to a simple login page, that will have a connection to SQL db if possible, and will alert the users if their password is about to expire.

- We've test to change from one of our site in CA, from NTLM to Kerberos, then refresh the site, it asked for UN & PW already. If we want to have our own Custom Login Page, where can we save that page?

That would be all for now, as some of our further questions are beyond our subject already... We'll just open a new question for that.

Thank you and hope to hear soon...
Stiebel EltronAsked:
Who is Participating?
Dr. KlahnPrincipal Software EngineerCommented:
Sorry about this, but I've exhausted my knowledge with "NTLM is not secure."  It is a thing that I have run into occasionally when researching other issues.

If there is no WiFi access to your LAN, and no access to and from the internet, and no VPNs attaching to your LAN, and it's used only for TCP/IP traffic between computers (no video conferencing, no VOIP phones, no security cameras, etc.) then NTLM might be good enough.  But at some point Microsoft is probably going to say, "That's it, we're dropping support for it in all new products."

Perhaps if you make another posting asking for help on Kerberos?
Dr. KlahnPrincipal Software EngineerCommented:
NTLM security is not, well, secure any more.  RC4 has multiple attacks (about ten known ones, plus who knows how many the government has).  Per Wikipedia -

Microsoft no longer recommends NTLM in applications:

"Implementers should be aware that NTLM does not support any recent cryptographic methods, such as AES or SHA-256. It uses cyclic redundancy check (CRC) or message digest algorithms (RFC1321) for integrity, and it uses RC4 for encryption.

Deriving a key from a password is as specified in RFC1320 and FIPS46-2. Therefore, applications are generally advised not to use NTLM."
Stiebel EltronAuthor Commented:
Thank you for your response Dr. Klahn,

From your response, it's obvious that you prefer Kerberos authentication rather than NTLM.
We know that this is painful way, and we don't have any experience with Kerberos Authentication, is there any guidance that you could give in regards to using Kerberos in SharePoint 2013?

Thank you and hope to hear again...
Stiebel EltronAuthor Commented:
Thank you for your kind explanation...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.