Authentication NTLM vs Kerberos

[Jose Troncoso]

Hi,

We've just migrated our domains from NT 4.0 to Windows 2003 but are still
emulating NTLM authentication (via registry). We've tricked authentication
on some of the computers that are not in our domain by creating local
accounts in the computers that are not in the domain and domain accounts
(same username, same password).

After we migrated to Windows 2003, we're in the dilema if we stop emulating
NTLM, this tricky authentication won't work, because the authentication will
be (e-mail address removed) against username, password.

Is there a tricky authentication mode in Kerberos to maintain my 'old tricky
NTLM authentication' ?

Your comments,

Jose Troncoso
Security Administrator
Banco Popular Dominicano

 

[Paul Adare - MVP - Microsoft Virtual PC]

microsoft.public.win2000.security news group, Jose Troncoso

We've just migrated our domains from NT 4.0 to Windows 2003 but are still
emulating NTLM authentication (via registry). We've tricked authentication
on some of the computers that are not in our domain by creating local
accounts in the computers that are not in the domain and domain accounts
(same username, same password).

You're not doing any kind of "tricky authentication" here at all. All
you're doing is making use of how Windows authentication works.

After we migrated to Windows 2003, we're in the dilema if we stop emulating
NTLM, this tricky authentication won't work, because the authentication will
be (e-mail address removed) against username, password.

You don't understand how Kerberos, nor NTLM authentication works. First
of all, Kerberos auth does not require you to log on by using
(e-mail address removed). That is simply a UPN logon and really has
nothing to do with Kerberos. Logging on without using a UPN logon will
still work with Kerberos (as it will with NTLM).

Is there a tricky authentication mode in Kerberos to maintain my 'old tricky
NTLM authentication' ?

Again, there is nothing "tricky" about this. The users on your non-
domain systems will still be able to authenticate by using NTLM.

If a user can be authenticated via Kerberos, he will be, if not, NTLM
will be used.

Your misunderstanding of the authentication process and logon
requirements is causing you to worry about a non-issue.

 

[Miha Pihler]

Hi Jose,

For security reasons you should use Kerberos (though NTLM v2 is not all that
bad either). Working with Kerberos is no more work then working with NTLM.
Only thing you have to pay attention to is to have your server's time
synchronized with outside reliable time source. All domain members then
synchronize with domain controller's time.
If clients time is for some reason off for more then 5 minutes client won't
be able to logon to domain.

Old clients (Windows 98, Windows NT, ...) will still be able to logon to
domain (as much as they did before), by falling back to NTLM (NTLM v.2 if
possible)...

I hope this helps,

Mike

 

[Steven L Umbach]

Ntlm/ntlmv2 can still be used in Windows 2003 but kerberos will be the default for
computers that are kerberos capable. Also if an IP address is used to locate a
resource in the domain, ntlm/ntlmv2 will be used instead of kerberos and you can not
force kerberos exclusively. Keep in mind that proper dns configuration in a W2K or
Windows 2003 domain is CRITICAL to proper operation of the domain. Domain controllers
must point only to themselves or other domain controllers and W2K/XP Pro domain
members must point only to domain controllers running AD dns for the domain and NEVER
an ISP dns server in the list of preferred dns servers for any domain member ever.
Also FYI Windows 2003 has smb signing [digitally sign communications (always) ]
enabled for server and this can cause problems with downlevel clients and even XP
Pro computers that may show as poor network performance an intermittent
disconnections. There is a hotfix available from MS if you experience this with XP
Pro but you have to call them I beleve. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 -- Active
Directory dns FAQ