What does that say, except that NTLM has drawbacks? As I said before, Basic authentication, LDAP, FTP all still exist (and are widely used), and that's effectively plaintext. People mitigate the risk by using protection at the transport layer. Huge numbers of 3rd party apps (especially those that need to run cross-platform) tend to use older or least-common-denominator authentication mechanisms.
PKI, and Kerberos have been around for years, yet all these other things still hang around. Kerberos is (relatively) hard to get working outside the pure Microsoft space, and Kerberos implementations outside Microsoft stack are a rounding error in the grand scheme of things. I just don't see these other techs disappearing anytime soon. Cheers Ken -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kurt Buff Sent: Friday, 4 July 2014 12:40 AM To: [email protected] Subject: Re: [NTSysADM] File server question Well, this is a bit more recent, and direct from the horse's mouth http://msdn.microsoft.com/en-us/library/cc236715.aspx Kurt On Wed, Jul 2, 2014 at 11:24 PM, Ken Schaefer <[email protected]> wrote: > Stronger and better protocols will eventually replace legacy, weaker and > suckier protocols - but as Keynes said - "in the long run , we are all dead" > - it's almost pointless talking about some future that's potentially an epoch > away. > > Outside Windows (and other core Microsoft technologies), Kerberos is, > generally, hard to get working. > There are also many apps that simply don't support it. > > I note that the article you cite was written 7 years ago, yet we still have > NTLM, and Basic authentication, and FTP and a whole bunch of other things are > even worse than NTLM, which show no signs of disappearing. > > Cheers > Ken > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kurt Buff > Sent: Thursday, 3 July 2014 3:50 PM > To: [email protected] > Subject: Re: [NTSysADM] File server question > > Not tomorrow, and perhaps not even in the next couple of years, but I keep > seeing articles like this, which incline toward kerberos: > http://windowsitpro.com/security/comparing-windows-kerberos-and-ntlm-a > uthentication-protocols > > Kurt > > On Wed, Jul 2, 2014 at 7:22 PM, Ken Schaefer <[email protected]> wrote: >> How so? >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of Kurt Buff >> Sent: Thursday, 3 July 2014 12:18 PM >> To: [email protected] >> Subject: Re: [NTSysADM] File server question >> >> I'm thinking NTLM is on its way out. >> >> Kurt >> >> On Wed, Jul 2, 2014 at 6:12 PM, Ken Schaefer <[email protected]> wrote: >>> Would be required if you went CNAME and wanted Kerberos. NTLM would work >>> without setting any SPNs. >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of Kurt Buff >>> Sent: Thursday, 3 July 2014 9:46 AM >>> To: [email protected] >>> Subject: Re: [NTSysADM] File server question >>> >>> Looks like SetSPN is mixed in there, too. >>> >>> Doesn't look like brain surgery, though. >>> >>> Thanks. >>> >>> >>> Kurt >>> >>> On Wed, Jul 2, 2014 at 4:33 PM, Michael B. Smith <[email protected]> >>> wrote: >>>> It still applies, but it may not always work. >>>> >>>> http://www.marc-lognoul.me/itblog-en/windows-the-confusion-over-dis >>>> a bleloopbackcheck-disablestrictnamechecking-and-kerberos/ >>>> >>>> I think the above is a decent coverage of the topic. >>>> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] On Behalf Of Kurt Buff >>>> Sent: Wednesday, July 2, 2014 7:26 PM >>>> To: [email protected] >>>> Subject: [NTSysADM] File server question >>>> >>>> All, >>>> >>>> We're going to be replacing our current 2003 server with a 2012 R2 VM. >>>> >>>> As is usual in these things, there are lots of links and embedded >>>> references to the old file server name, and we want to start to move away >>>> from it. >>>> >>>> I'd like to stand up a CNAME for the old server pointing to the new >>>> server, and everything I've been reading suggests that I need to put up >>>> the disablestrictnamechecking regentry on the new machine. >>>> >>>> I seem to recall something indicating that this isn't necessary for >>>> 2012 R2, but can't find reference to it, and I'm wondering if my memory is >>>> clouded by something else. >>>> >>>> Do I need disablestrictnamechecking or not? >>>> >>>> Kurt >>>> >>>> >>> >>> >> >> > >
