Re: Disable Kerberos in a Windows Server 2003 Environment

---

• From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 26 Nov 2007 13:54:36 -0600

---

Do you have any detailed information about why his product requires NTLM
only? Is it possible that this product will work if it does NTLM auth to
just those specific apps, but still uses Kerberos in general?

I'm not even sure if it is possible, but ou really don't want to try to get
rid of Kerb across the board.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"JerryAMWE" <JerryAMWE@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7439B34C-0BAB-4FA0-816D-44DB88B14210@xxxxxxxxxxxxxxxx

Hi,

We are a hospital running a Microsoft Server 2003 environment with
Microsoft Exchange, Citrix and a few other vendor applications that
integrate
with Active Directory for authentication. We are at the highest possible
functional level in our environment. We also have a Hospital Information
System which is the most important system we have. Our systems engineer
wants to try to get our HIS system to use it's native single-signon
capability to authenticate users to AD. The problem is that he wants me
to
disable Kerberos and only use NTLM authentication. My questions are:

1. Can I disable Kerberos even though my functional level is at its
highest
level?
2. If so, how do I do this?
3. Are there any consequences by me doing this? (i.e. Exchange
authentication issues, Citrix authentication issues, time-services, DNS
issues, etc....)

Any help/advice would greatly be appreciated.

Thanks,
Gerry

.

---

• Follow-Ups:
  • Re: Disable Kerberos in a Windows Server 2003 Environment
    • From: JerryAMWE

• References:
  • Disable Kerberos in a Windows Server 2003 Environment
    • From: JerryAMWE

• Prev by Date: Re: Upgrade 2000 AD to 2003
• Next by Date: Re: After succesfull upgrade to AD2003 ,DC fails after moving Mast
• Previous by thread: Re: Disable Kerberos in a Windows Server 2003 Environment
• Next by thread: Re: Disable Kerberos in a Windows Server 2003 Environment
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: ADS Password Storage Protection ... In Windows it is LM or NT (sometimes called NTLM) hashes. ... NTLMv2 refers to the authenication protocol that exchanges the hash ... between the client and server authentication database. ... (Security-Basics) Re: Integrated Windows Authentication Timeout? ... Is it possible that a different host name is being used for one of the subsequent requests that would break Kerberos auth? ... If you have "Negotiate" authentication set in the metabase, then this can still negotiate down to NTLM if for some reason the protocol thinks that Kerberos is unavailable. ... server. ... (microsoft.public.dotnet.framework.aspnet.security) RE: HttpWebRequest over Https Via Proxy Fails using NTLM ... The proxy authentication header returns Basic, NTLM, and Negotiate. ... A network trace shows that the https request handshake is as follows: ... (microsoft.public.dotnet.framework.aspnet) Re: Outlook 2000 issue with EXCH 2003 ... It is related to DNS, the GC utilize DNS to find NTLM ... we have tested outlook 2k3 with NTLM only ... the LAN MAN authentication set to ... (microsoft.public.exchange.admin) Re: Event log shows NTLM not Kerberos ... it needs those SIDs, which is what authentication gives. ... Authentication Package: NTLM ... Authentication Package NTLM not Kerberos? ... (microsoft.public.security)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2007-11