Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Windows integrated (NTLM) authentication vs Windows integrated (Kerberos)

What is the difference between Windows integrated (NTLM) authentication and Windows integrated (Kerberos)?

How to implement these in IIS6

w.r.t. MSDN

like image 393
Nitin S Avatar asked Jul 19 '11 08:07

Nitin S


People also ask

What is difference between Kerberos and NTLM authentication?

The main difference between NTLM and Kerberos is in how the two protocols manage authentication. NTLM relies on a three-way handshake between the client and server to authenticate a user. Kerberos uses a two-part process that leverages a ticket granting service or key distribution center.

What is better NTLM or Kerberos?

Kerberos is better than NTLM because: Kerberos is more secure – Kerberos does not store or send the password over the network and can use asymmetric encryption to prevent replay and Man-in-the-Middle (MiTM) attacks.

Is Kerberos the same as Windows authentication?

Since Windows 2000, Microsoft has used the Kerberos protocol as the default authentication method in Windows, and it is an integral part of the Windows Active Directory (AD) service.

Is NTLM authentication same as Windows authentication?

Microsoft NTLM - Win32 appsWindows Challenge/Response (NTLM) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.


2 Answers

Kerberos and NTLM are different algorithms for validating a user's password, without reveiling the password to the server. More info about NTLM and Kerberos at Wikipedia.

If you enable Windows authentication, Kerberos will normally be preferred and if that is not available it will fall back to NTLM.

  • NTLM only requires the client to communicate with the web server in order to authenticate. The web server handles the communication with the domain controller. This is an advantage with publically available sites where a DC cannot be reached from the Internet. Unfortunately the cryptography used by NTLM is outdated and can no longer be considered secure. NTLM should only be used over https.
  • Kerberos requires the client to get a ticket from the domain controller, which makes it more suitable for Intranet scenarios. Kerberos is however more secure and can handle delegation, where the web server can access other resources (e.g.) a file server, using the client's identity.
like image 79
Anders Abel Avatar answered Nov 15 '22 18:11

Anders Abel


here's a good link:

http://msdn.microsoft.com/en-us/library/aa480475.aspx

Also this will show you if kerberos (Negotiate) is on (on your webserver) :

cscript adsutil.vbs get w3svc/nnn/NTAuthenticationProviders

NOTE: nnnn is the MetaBase site id

in the past kerberos has caused me a few problems (when users have too many permissions) resulting in '400 Bad Request' errors

see: http://blogs.technet.com/b/surama/archive/2009/04/06/kerberos-authentication-problem-with-active-directory.aspx

like image 26
Kevin Burton Avatar answered Nov 15 '22 17:11

Kevin Burton