I am talking about SSPI Negotiation. So any app that uses SSPI Negotiation (as they should be as far as I know) will always choose Kerb first?
I know this is a total hack, but what if I block port 88 from point a to point b using an IPSec policy? Will negotiation silently fall back to NTLM. BTW I realize that there is NO WAY MS would support this configuration, I'm just asking from a theoretical stand point. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick Sent: Tuesday, May 02, 2006 7:31 AM To: [email protected] Subject: Re: [ActiveDir] Force NTLM over Kerberos It is up to the application as to what it will choose for authN - if you are asking about negotiate - which tries kerb first, you cannot change this. steve ----- Original Message ----- From: "Isenhour, Joseph" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Monday, May 01, 2006 3:51 PM Subject: [ActiveDir] Force NTLM over Kerberos I have a somewhat interesting and complicated issue. I won't go into all of the details because there are many, I'll just ask this one question: Does anyone know of a way to force the operating system to always choose to use NTLM before trying Kerberos? Basically make it always choose NTLM when it does the SSPI negotiate. Thanks Joe List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
