Well, this is a bit more recent, and direct from the horse's mouth http://msdn.microsoft.com/en-us/library/cc236715.aspx
Kurt On Wed, Jul 2, 2014 at 11:24 PM, Ken Schaefer <[email protected]> wrote: > Stronger and better protocols will eventually replace legacy, weaker and > suckier protocols - but as Keynes said - "in the long run , we are all dead" > - it's almost pointless talking about some future that's potentially an epoch > away. > > Outside Windows (and other core Microsoft technologies), Kerberos is, > generally, hard to get working. > There are also many apps that simply don't support it. > > I note that the article you cite was written 7 years ago, yet we still have > NTLM, and Basic authentication, and FTP and a whole bunch of other things are > even worse than NTLM, which show no signs of disappearing. > > Cheers > Ken > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Kurt Buff > Sent: Thursday, 3 July 2014 3:50 PM > To: [email protected] > Subject: Re: [NTSysADM] File server question > > Not tomorrow, and perhaps not even in the next couple of years, but I keep > seeing articles like this, which incline toward kerberos: > http://windowsitpro.com/security/comparing-windows-kerberos-and-ntlm-authentication-protocols > > Kurt > > On Wed, Jul 2, 2014 at 7:22 PM, Ken Schaefer <[email protected]> wrote: >> How so? >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Kurt Buff >> Sent: Thursday, 3 July 2014 12:18 PM >> To: [email protected] >> Subject: Re: [NTSysADM] File server question >> >> I'm thinking NTLM is on its way out. >> >> Kurt >> >> On Wed, Jul 2, 2014 at 6:12 PM, Ken Schaefer <[email protected]> wrote: >>> Would be required if you went CNAME and wanted Kerberos. NTLM would work >>> without setting any SPNs. >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of Kurt Buff >>> Sent: Thursday, 3 July 2014 9:46 AM >>> To: [email protected] >>> Subject: Re: [NTSysADM] File server question >>> >>> Looks like SetSPN is mixed in there, too. >>> >>> Doesn't look like brain surgery, though. >>> >>> Thanks. >>> >>> >>> Kurt >>> >>> On Wed, Jul 2, 2014 at 4:33 PM, Michael B. Smith <[email protected]> >>> wrote: >>>> It still applies, but it may not always work. >>>> >>>> http://www.marc-lognoul.me/itblog-en/windows-the-confusion-over-disa >>>> bleloopbackcheck-disablestrictnamechecking-and-kerberos/ >>>> >>>> I think the above is a decent coverage of the topic. >>>> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] On Behalf Of Kurt Buff >>>> Sent: Wednesday, July 2, 2014 7:26 PM >>>> To: [email protected] >>>> Subject: [NTSysADM] File server question >>>> >>>> All, >>>> >>>> We're going to be replacing our current 2003 server with a 2012 R2 VM. >>>> >>>> As is usual in these things, there are lots of links and embedded >>>> references to the old file server name, and we want to start to move away >>>> from it. >>>> >>>> I'd like to stand up a CNAME for the old server pointing to the new >>>> server, and everything I've been reading suggests that I need to put up >>>> the disablestrictnamechecking regentry on the new machine. >>>> >>>> I seem to recall something indicating that this isn't necessary for >>>> 2012 R2, but can't find reference to it, and I'm wondering if my memory is >>>> clouded by something else. >>>> >>>> Do I need disablestrictnamechecking or not? >>>> >>>> Kurt >>>> >>>> >>> >>> >> >> > >
