What is the difference between Windows integrated (NTLM) authentication and Windows integrated (Kerberos)?
How to implement these in IIS6
w.r.t. MSDN
4 Answers
16
votes
Kerberos and NTLM are different algorithms for validating a user's password, without reveiling the password to the server. More info about NTLM and Kerberos at Wikipedia.
If you enable Windows authentication, Kerberos will normally be preferred and if that is not available it will fall back to NTLM.
- NTLM only requires the client to communicate with the web server in order to authenticate. The web server handles the communication with the domain controller. This is an advantage with publically available sites where a DC cannot be reached from the Internet. Unfortunately the cryptography used by NTLM is outdated and can no longer be considered secure. NTLM should only be used over https.
- Kerberos requires the client to get a ticket from the domain controller, which makes it more suitable for Intranet scenarios. Kerberos is however more secure and can handle delegation, where the web server can access other resources (e.g.) a file server, using the client's identity.
3
votes
here's a good link:
http://msdn.microsoft.com/en-us/library/aa480475.aspx
Also this will show you if kerberos (Negotiate) is on (on your webserver) :
cscript adsutil.vbs get w3svc/nnn/NTAuthenticationProviders
NOTE: nnnn is the MetaBase site id
in the past kerberos has caused me a few problems (when users have too many permissions) resulting in '400 Bad Request' errors
1
votes
NTLM (Windows Challenge/Response) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user's password.
Kerberos is a computer network authentication protocol which works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner.It works based on client–server model and it provides mutual authentication—both the user and the server verify each other's identity.
Refer the below links to get clear information.
http://msdn.microsoft.com/en-us/library/windows/desktop/aa378749(v=vs.85).aspx
http://technet.microsoft.com/en-us/library/cc780469(v=ws.10).aspx
http://windowsitpro.com/security/comparing-windows-kerberos-and-ntlm-authentication-protocols
1
votes
Kerberos could be considered as a better option than NTLM:
1. Faster authentication
2. Mutual authentication
3. Kerberos is an open standard
4. Support for authentication delegation
Following link is the best answer as i researched on this topic:
Comparing Windows Kerberos and NTLM Authentication Protocols
