What is the difference between Windows integrated (NTLM) authentication and Windows integrated (Kerberos)?
How to implement these in IIS6
w.r.t. MSDN
The main difference between NTLM and Kerberos is in how the two protocols manage authentication. NTLM relies on a three-way handshake between the client and server to authenticate a user. Kerberos uses a two-part process that leverages a ticket granting service or key distribution center.
Kerberos is better than NTLM because: Kerberos is more secure – Kerberos does not store or send the password over the network and can use asymmetric encryption to prevent replay and Man-in-the-Middle (MiTM) attacks.
Since Windows 2000, Microsoft has used the Kerberos protocol as the default authentication method in Windows, and it is an integral part of the Windows Active Directory (AD) service.
Microsoft NTLM - Win32 appsWindows Challenge/Response (NTLM) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.
Kerberos and NTLM are different algorithms for validating a user's password, without reveiling the password to the server. More info about NTLM and Kerberos at Wikipedia.
If you enable Windows authentication, Kerberos will normally be preferred and if that is not available it will fall back to NTLM.
here's a good link:
http://msdn.microsoft.com/en-us/library/aa480475.aspx
Also this will show you if kerberos (Negotiate) is on (on your webserver) :
cscript adsutil.vbs get w3svc/nnn/NTAuthenticationProviders
NOTE: nnnn is the MetaBase site id
in the past kerberos has caused me a few problems (when users have too many permissions) resulting in '400 Bad Request' errors
see: http://blogs.technet.com/b/surama/archive/2009/04/06/kerberos-authentication-problem-with-active-directory.aspx
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With