Kerberos and the NTLM Some of the major feature differences

Document Sample
Kerberos and the NTLM Some of the major feature differences Powered By Docstoc
					Kerberos and the NTLM

Some of the major feature differences between the Kerberos and the NTLM authentication protocols and explain why
generally Kerberos is considered a better authentication option than NTLM.

      Faster authentication. When a resource server gets Kerberos authentication information (in Kerberos speak
       "tickets" and "authenticators") from a client, the resource server has enough information to authenticate the
       client. The NTLM authentication protocol requires resource servers that aren't domain controllers (DCs), to
       contact a DC to validate a user's authentication request. This process is known as pass-through authentication.
       Thanks to its unique ticketing system, Kerberos doesn't need pass-through authentication and therefore
       accelerates the authentication process.

      Mutual authentication. Kerberos can support mutual authentication. Mutual authentication means that not
       only the client authenticates to the service, but also the service authenticates to the client. Mutual
       authentication is a Kerberos option that the client can request. The support for mutual authentication is a key
       difference between Kerberos and NTLM. The NTLM challenge-response mechanism only provides client
       authentication. In the NTLM authentication exchange, the server generates an NTLM challenge for the client,
       the client calculates an NTLM response, and the server validates that response. Using NTLM, users might provide
       their credentials to a bogus server.

      Kerberos is an open standard. Microsoft based its Kerberos implementation on the standard defined in Request
       for Comments (RFC) 4120. RFC 4120 defines version 5 of the Kerberos protocol. Because Kerberos is defined in
       an open standard, it can provide single sign-on (SSO) between Windows and other OSs supporting an RFC 4120-
       based Kerberos implementation. You can download RFC 4120 from the Internet Engineering Task Force (IETF) at NTLM is a proprietary authentication protocol defined by Microsoft. The NTLM protocol is
       not specified in an open standard document (for example in an IETF RFC).

      Support for authentication delegation. Thanks to authentication delegation, a service can access remote
       resources on behalf of a user. What delegation really means is that user A can give rights to an intermediary
       machine B to authenticate to an application server C as if machine B was user A. This means that application
       server C will base its authorization decisions on user A's identity rather than on machine B's account. Delegation
       is also known as authentication forwarding. You can use delegation for authentication in multi-tier applications.
       An example is database access using a Web-based front-end application. In a multi-tier application,
       authentication happens on different tiers. In such a setup, if you want to set authorization on the database using
       the user's identity, you should be capable of using the user's identity for authentication both on the Web server
       and the database server. This is impossible if you use NTLM for authentication on every link, simply because
       NTLM doesn't support delegation.

      Support for smart card logon. Through the Kerberos PKINIT extension, Win2K and later versions include support
       for the smart card logon security feature. Smart card logon provides much stronger authentication than
       password logon because it relies on a two-factor authentication. To log on, a user needs to possess a smart card
       and know its PIN code. Smart card logon also offers other security advantages. For example, it can block Trojan
       horse attacks that try to grab a user's password from the system memory. The NTLM authentication protocol
       doesn't support smart card logon.

      NTLM is a challenge/response-based authentication protocol that is the default authentication protocol of
       Windows NT 4.0 and earlier Windows versions. For backward compatibility reasons, Microsoft still supports
       NTLM in Windows Vista, Windows Server 2003 and Windows 2003 R2, Windows 2000, and Windows XP.

      Starting with Win2K, Microsoft implements Kerberos as the default authentication protocol for the Windows OS.
       This means that besides an NTLM authentication provider, every Windows OS since Win2K also includes a client
       Kerberos authentication provider.

Shared By:
liamei12345 liamei12345 http://