NTLM vs KERBEROS

Let us understand how NTLM authentication works:







Step 1:
User sends a request to the server passing the domain authentication credentials.


Step 2:
Server creates an encryption token and sends a response back to the User (User's machine)


Step 3:
User gets the encrypted token and uses the token to encapsulate the user's password and re sends the new information back to the server.


Step 4:
Server gets the encrypted password, decrypts the information and sends the information to the Domain Account Controller/Service Account Manager for verification and authentication.


Step 5:

The Service account manager verifies the information and informs the server that the user is either authenticated or the authentication request has been denied.
Once these steps occur a connection with the server will either be established or disestablished. Key notes here is that the NTLM authentication does not require to have the server principle (SPN) established on the local machine for authentication. This is more susceptible to attacks as the information passed is the bare essentials.

Let us understand how Kerberos authentication works:







Step 1:
User sends a request to the KLM (Kerberos Login Manager) which handles the request for authentication for the end user. The user passes the domain authentication, the SPN and the password information in a packet.


Step 2 & 3:
The KLM server takes these details, verifies the information with the Service Request Manager/Domain Account Controller and gets the response from the same. In case the user cannot be authenticated, the user will be notified at this stage.


Step 4&5:
The KLM passes the request to the server and the server responds directly back to the user. Once the authentication has been established, the user will be able to interact with the server without using the KLM.


Key points to Note:

  • NTLM is also called Integrated windows authentication.

  • Even though NTLM and Kerberos are susceptible to security hacks, Kerberos authentication is considered to be more secure.

  • Everytime NTLM needs to go through the Domain Account Controller to establish authentication

  • No double hop for NTLM as the authentication information will not persist from one server to another

  • The Kerberos Login Manager is also known as the Key Distribution Centre

  • Kerberos works on the principle of a ticket being generated by the KLM and once the ticket has been stamped (you can use the analogy of a Visa stamping process at this junction) or authorized, the user will be able to interact with the server.

  • Kerberos allows the double hop process to occur i.e. the authentication information is saved by the KLM and further established the requests between servers because the golden ticket is still with the KLM.

  • At times to avoid the double hop we use the concept of a secure store i.e. a pre authorized user to the respective servers in SharePoint. Once the user is authenticated by the SharePoint server, the underlying requests between the SharePoint Server and other servers (like PPS....) is accomplished using the existing secure store service information. [Note: Claims to Windows token service (C2WTS) is based on this principle]

  • Kerberos has more encryption methodologies than NTLM (I am familiar with only a few and will iterate them in a future article perhaps....)

  • Kerberos authentication setup more complicated than NTLM

  • Thumb rule for stand alone machines is to always go for integrated windows authentication


Security is a vast topic. On my laptop I have SharePoint 2010 installed on a Win 7 OS with integrated windows authentication, so the hassles of using Kerberos authentication is definitely not in place. However a key note here is that when I migrate information or a SharePoint site from my laptop onto say a company's system, I ensure that the mode is in Kerberos and all the servers are talking with one another.

Comments

Post a Comment

Popular posts from this blog

Load Data into Azure DW using C# in an SSIS script task

Image
Now there are a lot of reasons why SSIS needs to be leveraged for loading data into the Azure DW platform. Even though Polybase and Azure Data factory are the core criteria's, here are the templates for the SSIS script task that were leveraged to load data (full and incremental into Azure DW) for a specific customer rather than using the data flow task: SSIS Full Load script : SSIS Incremental Load script : There are a few reasons for this approach and one of them being that the existing package was using a similar structure and one not to be deviated from. The other being that some key logging aspects needed to be handled in a Legacy platform that could not be decommissioned at that time.
Read more

Branding your SharePoint site in a super fast way - Emgage

Branding a SharePoint farm on premise or in O365 is an extremely time absorbing task. Recently found a few tools called emgage prime and emgage turbo which basically gives you customized UX branding solutions to make you get to what you want super fast and super easy....Just used it on a SP2016 farm a few days ago and the results were tremendous. A definite recommendation on the SP side of things.
Read more

Power BI To Embed Or Not To Embed

It is very critical for organizations to work & play with data. Power BI - the reporting solution from Microsoft is literally scorching the market with its rapid pace in usage. On a quick note while interacting with your Power BI report like the following--> This report is accessible by the public. In order to create a more personalized/advanced security reporting structure with Power BI, the Power BI embedded would be the way to go. Create a workspace collection in Azure and then generate the required API keys (two by default - primary and secondary). These API keys will be leveraged by your web application. Once this is done create the pbix solution file in your desktop tool and publish or import the pbix solution to the Azure workspace using powershell/C#/ruby/java etc... Now to interact with the pbix file in your application, you need to leverage the Power BI Embed API's. However there is another approach using Power BI API's instead of the embed API's. The em
Read more