Not tomorrow, and perhaps not even in the next couple of years, but I keep seeing articles like this, which incline toward kerberos: http://windowsitpro.com/security/comparing-windows-kerberos-and-ntlm-authentication-protocols
Kurt On Wed, Jul 2, 2014 at 7:22 PM, Ken Schaefer <[email protected]> wrote: > How so? > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Kurt Buff > Sent: Thursday, 3 July 2014 12:18 PM > To: [email protected] > Subject: Re: [NTSysADM] File server question > > I'm thinking NTLM is on its way out. > > Kurt > > On Wed, Jul 2, 2014 at 6:12 PM, Ken Schaefer <[email protected]> wrote: >> Would be required if you went CNAME and wanted Kerberos. NTLM would work >> without setting any SPNs. >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] >> On Behalf Of Kurt Buff >> Sent: Thursday, 3 July 2014 9:46 AM >> To: [email protected] >> Subject: Re: [NTSysADM] File server question >> >> Looks like SetSPN is mixed in there, too. >> >> Doesn't look like brain surgery, though. >> >> Thanks. >> >> >> Kurt >> >> On Wed, Jul 2, 2014 at 4:33 PM, Michael B. Smith <[email protected]> >> wrote: >>> It still applies, but it may not always work. >>> >>> http://www.marc-lognoul.me/itblog-en/windows-the-confusion-over-disableloopbackcheck-disablestrictnamechecking-and-kerberos/ >>> >>> I think the above is a decent coverage of the topic. >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of Kurt Buff >>> Sent: Wednesday, July 2, 2014 7:26 PM >>> To: [email protected] >>> Subject: [NTSysADM] File server question >>> >>> All, >>> >>> We're going to be replacing our current 2003 server with a 2012 R2 VM. >>> >>> As is usual in these things, there are lots of links and embedded >>> references to the old file server name, and we want to start to move away >>> from it. >>> >>> I'd like to stand up a CNAME for the old server pointing to the new server, >>> and everything I've been reading suggests that I need to put up the >>> disablestrictnamechecking regentry on the new machine. >>> >>> I seem to recall something indicating that this isn't necessary for >>> 2012 R2, but can't find reference to it, and I'm wondering if my memory is >>> clouded by something else. >>> >>> Do I need disablestrictnamechecking or not? >>> >>> Kurt >>> >>> >> >> > >
