Re: Disable Kerberos in a Windows Server 2003 Environment
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 26 Nov 2007 15:33:54 -0600
Without more details on what he's doing and what he really needs, I can't
give you a satisfying answer. It is definitely possible to prevent Kerberos
authentication to a given service by making sure the service principal name
(SPN) for the service is not published in the directory. If no SPN exists
for a given service, Kerberos auth to it is not possible.
However, we don't know enough about what is going on here to know if that
might be a viable option.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"JerryAMWE" <JerryAMWE@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:21F92E8D-9D75-4996-A830-38EFCD9D52F8@xxxxxxxxxxxxxxxx
I'm not sure why our HIS system requires NTLM for single-signon
authentication. You have raised an interesting question though; can I
specify his servers/app to use NTLM and leave the rest of my environment
alone? If so, how?
Thanks
Gerry
"Joe Kaplan" wrote:
Do you have any detailed information about why his product requires NTLM
only? Is it possible that this product will work if it does NTLM auth to
just those specific apps, but still uses Kerberos in general?
I'm not even sure if it is possible, but ou really don't want to try to
get
rid of Kerb across the board.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"JerryAMWE" <JerryAMWE@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7439B34C-0BAB-4FA0-816D-44DB88B14210@xxxxxxxxxxxxxxxx
Hi,
We are a hospital running a Microsoft Server 2003 environment with
Microsoft Exchange, Citrix and a few other vendor applications that
integrate
with Active Directory for authentication. We are at the highest
possible
functional level in our environment. We also have a Hospital
Information
System which is the most important system we have. Our systems
engineer
wants to try to get our HIS system to use it's native single-signon
capability to authenticate users to AD. The problem is that he wants
me
to
disable Kerberos and only use NTLM authentication. My questions are:
1. Can I disable Kerberos even though my functional level is at its
highest
level?
2. If so, how do I do this?
3. Are there any consequences by me doing this? (i.e. Exchange
authentication issues, Citrix authentication issues, time-services, DNS
issues, etc....)
Any help/advice would greatly be appreciated.
Thanks,
Gerry
.
- Follow-Ups:
- Re: Disable Kerberos in a Windows Server 2003 Environment
- From: JerryAMWE
- Re: Disable Kerberos in a Windows Server 2003 Environment
- References:
- Disable Kerberos in a Windows Server 2003 Environment
- From: JerryAMWE
- Re: Disable Kerberos in a Windows Server 2003 Environment
- From: Joe Kaplan
- Re: Disable Kerberos in a Windows Server 2003 Environment
- From: JerryAMWE
- Disable Kerberos in a Windows Server 2003 Environment
- Prev by Date: Unlocking AD Accounts
- Next by Date: Re: How should we do it with ADFS?
- Previous by thread: Re: Disable Kerberos in a Windows Server 2003 Environment
- Next by thread: Re: Disable Kerberos in a Windows Server 2003 Environment
- Index(es):
Relevant Pages
|
