Authentication NTLM vs Kerberos

Archived from groups: microsoft.public.win2000.security (More info?)

Hi,

We've just migrated our domains from NT 4.0 to Windows 2003 but are still
emulating NTLM authentication (via registry). We've tricked authentication
on some of the computers that are not in our domain by creating local
accounts in the computers that are not in the domain and domain accounts
(same username, same password).

After we migrated to Windows 2003, we're in the dilema if we stop emulating
NTLM, this tricky authentication won't work, because the authentication will
be username@somedomain.com against username, password.

Is there a tricky authentication mode in Kerberos to maintain my 'old tricky
NTLM authentication' ?

Your comments,

Jose Troncoso
Security Administrator
Banco Popular Dominicano
3 answers Last reply
More about authentication ntlm kerberos
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    In article <OE7BEbehEHA.1156@TK2MSFTNGP10.phx.gbl>, in the
    microsoft.public.win2000.security news group, Jose Troncoso
    <jtroncoso@bpd.com.do> says...

    > We've just migrated our domains from NT 4.0 to Windows 2003 but are still
    > emulating NTLM authentication (via registry). We've tricked authentication
    > on some of the computers that are not in our domain by creating local
    > accounts in the computers that are not in the domain and domain accounts
    > (same username, same password).

    You're not doing any kind of "tricky authentication" here at all. All
    you're doing is making use of how Windows authentication works.

    >
    > After we migrated to Windows 2003, we're in the dilema if we stop emulating
    > NTLM, this tricky authentication won't work, because the authentication will
    > be username@somedomain.com against username, password.

    You don't understand how Kerberos, nor NTLM authentication works. First
    of all, Kerberos auth does not require you to log on by using
    username@somedomain.com. That is simply a UPN logon and really has
    nothing to do with Kerberos. Logging on without using a UPN logon will
    still work with Kerberos (as it will with NTLM).

    >
    > Is there a tricky authentication mode in Kerberos to maintain my 'old tricky
    > NTLM authentication' ?

    Again, there is nothing "tricky" about this. The users on your non-
    domain systems will still be able to authenticate by using NTLM.

    If a user can be authenticated via Kerberos, he will be, if not, NTLM
    will be used.

    Your misunderstanding of the authentication process and logon
    requirements is causing you to worry about a non-issue.

    --
    Paul Adare
    This posting is provided "AS IS" with no warranties, and confers no
    rights.
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Jose,

    For security reasons you should use Kerberos (though NTLM v2 is not all that
    bad either). Working with Kerberos is no more work then working with NTLM.
    Only thing you have to pay attention to is to have your server's time
    synchronized with outside reliable time source. All domain members then
    synchronize with domain controller's time.
    If clients time is for some reason off for more then 5 minutes client won't
    be able to logon to domain.

    Old clients (Windows 98, Windows NT, ...) will still be able to logon to
    domain (as much as they did before), by falling back to NTLM (NTLM v.2 if
    possible)...

    I hope this helps,

    Mike

    "Jose Troncoso" <jtroncoso@bpd.com.do> wrote in message
    news:OE7BEbehEHA.1156@TK2MSFTNGP10.phx.gbl...
    > Hi,
    >
    > We've just migrated our domains from NT 4.0 to Windows 2003 but are still
    > emulating NTLM authentication (via registry). We've tricked
    authentication
    > on some of the computers that are not in our domain by creating local
    > accounts in the computers that are not in the domain and domain accounts
    > (same username, same password).
    >
    > After we migrated to Windows 2003, we're in the dilema if we stop
    emulating
    > NTLM, this tricky authentication won't work, because the authentication
    will
    > be username@somedomain.com against username, password.
    >
    > Is there a tricky authentication mode in Kerberos to maintain my 'old
    tricky
    > NTLM authentication' ?
    >
    > Your comments,
    >
    > Jose Troncoso
    > Security Administrator
    > Banco Popular Dominicano
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Ntlm/ntlmv2 can still be used in Windows 2003 but kerberos will be the default for
    computers that are kerberos capable. Also if an IP address is used to locate a
    resource in the domain, ntlm/ntlmv2 will be used instead of kerberos and you can not
    force kerberos exclusively. Keep in mind that proper dns configuration in a W2K or
    Windows 2003 domain is CRITICAL to proper operation of the domain. Domain controllers
    must point only to themselves or other domain controllers and W2K/XP Pro domain
    members must point only to domain controllers running AD dns for the domain and NEVER
    an ISP dns server in the list of preferred dns servers for any domain member ever.
    Also FYI Windows 2003 has smb signing [digitally sign communications (always) ]
    enabled for server and this can cause problems with downlevel clients and even XP
    Pro computers that may show as poor network performance an intermittent
    disconnections. There is a hotfix available from MS if you experience this with XP
    Pro but you have to call them I beleve. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382 -- Active
    Directory dns FAQ

    "Jose Troncoso" <jtroncoso@bpd.com.do> wrote in message
    news:OE7BEbehEHA.1156@TK2MSFTNGP10.phx.gbl...
    > Hi,
    >
    > We've just migrated our domains from NT 4.0 to Windows 2003 but are still
    > emulating NTLM authentication (via registry). We've tricked authentication
    > on some of the computers that are not in our domain by creating local
    > accounts in the computers that are not in the domain and domain accounts
    > (same username, same password).
    >
    > After we migrated to Windows 2003, we're in the dilema if we stop emulating
    > NTLM, this tricky authentication won't work, because the authentication will
    > be username@somedomain.com against username, password.
    >
    > Is there a tricky authentication mode in Kerberos to maintain my 'old tricky
    > NTLM authentication' ?
    >
    > Your comments,
    >
    > Jose Troncoso
    > Security Administrator
    > Banco Popular Dominicano
    >
    >
Ask a new question

Read More

Security Domain Windows Server 2003 Authentication Windows