Stronger and better protocols will eventually replace legacy, weaker and suckier protocols - but as Keynes said - "in the long run , we are all dead" - it's almost pointless talking about some future that's potentially an epoch away.
Outside Windows (and other core Microsoft technologies), Kerberos is, generally, hard to get working. There are also many apps that simply don't support it. I note that the article you cite was written 7 years ago, yet we still have NTLM, and Basic authentication, and FTP and a whole bunch of other things are even worse than NTLM, which show no signs of disappearing. Cheers Ken -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: Thursday, 3 July 2014 3:50 PM To: [email protected] Subject: Re: [NTSysADM] File server question Not tomorrow, and perhaps not even in the next couple of years, but I keep seeing articles like this, which incline toward kerberos: http://windowsitpro.com/security/comparing-windows-kerberos-and-ntlm-authentication-protocols Kurt On Wed, Jul 2, 2014 at 7:22 PM, Ken Schaefer <[email protected]> wrote: > How so? > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kurt Buff > Sent: Thursday, 3 July 2014 12:18 PM > To: [email protected] > Subject: Re: [NTSysADM] File server question > > I'm thinking NTLM is on its way out. > > Kurt > > On Wed, Jul 2, 2014 at 6:12 PM, Ken Schaefer <[email protected]> wrote: >> Would be required if you went CNAME and wanted Kerberos. NTLM would work >> without setting any SPNs. >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Kurt Buff >> Sent: Thursday, 3 July 2014 9:46 AM >> To: [email protected] >> Subject: Re: [NTSysADM] File server question >> >> Looks like SetSPN is mixed in there, too. >> >> Doesn't look like brain surgery, though. >> >> Thanks. >> >> >> Kurt >> >> On Wed, Jul 2, 2014 at 4:33 PM, Michael B. Smith <[email protected]> >> wrote: >>> It still applies, but it may not always work. >>> >>> http://www.marc-lognoul.me/itblog-en/windows-the-confusion-over-disa >>> bleloopbackcheck-disablestrictnamechecking-and-kerberos/ >>> >>> I think the above is a decent coverage of the topic. >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of Kurt Buff >>> Sent: Wednesday, July 2, 2014 7:26 PM >>> To: [email protected] >>> Subject: [NTSysADM] File server question >>> >>> All, >>> >>> We're going to be replacing our current 2003 server with a 2012 R2 VM. >>> >>> As is usual in these things, there are lots of links and embedded >>> references to the old file server name, and we want to start to move away >>> from it. >>> >>> I'd like to stand up a CNAME for the old server pointing to the new server, >>> and everything I've been reading suggests that I need to put up the >>> disablestrictnamechecking regentry on the new machine. >>> >>> I seem to recall something indicating that this isn't necessary for >>> 2012 R2, but can't find reference to it, and I'm wondering if my memory is >>> clouded by something else. >>> >>> Do I need disablestrictnamechecking or not? >>> >>> Kurt >>> >>> >> >> > >
