1

Is it possible to configure both Windows servers and workstations (Windows 7) to use only Kerberos for authentication and not use NTLM for authentication within the Domain?

I was told that Kerberos authentication fails if the target system is accessed via IP address.

Any success or failure stories out there?

Konrads
  • 860
  • 2
  • 20
  • 38

1 Answers1

2

here's a recent article on this http://blogs.technet.com/b/askds/archive/2012/02/02/purging-old-nt-security-protocols.aspx

sorry to link bomb and run but this does contain the answer

tony roth
  • 3,844
  • 17
  • 14
  • Hi. Thanks for the link. Unfortunately it only discusses if LM/NTLM is in use, but not if Kerberos only domain is possible. – Konrads Feb 08 '12 at 16:51
  • this statement from the msft guy in the blog "No, because you cannot configure a server to ignore NTLMv2." means that it won't ignore lmv2 it just might not use it, which at that point would me kerberos only. – tony roth Feb 08 '12 at 16:58
  • @tony_roth Thanks for pointing that out. One of the reasons I'm looking into this is to prevent replay attacks or password hash cracking. If the NTLMv2 still gets sent along, then that's bad. – Konrads Feb 08 '12 at 23:04
  • 1
    also http://technet.microsoft.com/en-us/library/dd560653(WS.10).aspx will give you further info if in a win7+ enviro. Also pw hash hacking is not completely solved by kerberos, if I remember correctly. – tony roth Feb 09 '12 at 15:13
  • Reviewing the above articles, it is my understanding then that you can not force a server to not do NTLMv2 authentication. I understand that given the opportunity, Kerberos will be negotiated as the stronger protocol. – Konrads Feb 23 '12 at 15:32