Monday, 2 July 2007

Installing Sharepoint 2007 - NTLM vs Kerberos

Whilst installing MOSS 2007 on the Queensland Water Infrastructure test server today, the issue of NT LAN Manager VS Kerberos authenication came up. I have worked for a Sydney Software consulting company called Superior Software for Windows http://www.ssw.com.au/ full time for the last 8 years. Standard policy at SSW is to try and leave all install settings as default. This helps when diagnosing problems later down the track and helps to avoid custom install issues. However, in this case, the default option (NTLM) is in fact NOT the recommended option - it is Kerberos. Go figure. It would seem that Microsoft is encouraging the quick and dirty approach to security again!

For reasons you should use Kerberos Authentication - see the following post
http://ablog.apress.com/?p=1127

1 comment:

Gavin Adams said...

Hi David,
Interestingly Kerberos was the default option during the beta releases of sharepoint 2007. I guess they had a number of complaints that regarding the complexity of setting up and getting kerberos to work.

I agree with all the points that you mention and those on the ablog site, ie better performance, double hops no longer a problem.

I think most people are configuring for kerberos based on those 2 requirments not for an increase in security.

I'm not sure this is so quick and dirty given that most implementation are internal on a WAN and NTLM is already encrypted (ok I acknowledge that it can be broken, at least its not clear text and thats enough to make it too hard for most of the users).

Regards,
Gavin Adams
(also from Sydney)
http://blog.gavin-adams.com