Re: Kerberos back to NTLM
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 11/14/04
- Next message: Fred Hammond: "Re: FileSharing Probelm"
- Previous message: Matt Anderson: "Re: FileSharing Probelm"
- In reply to: Spin: "Kerberos back to NTLM"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 13 Nov 2004 20:13:58 -0600
Are you sure they are authenticating to domain controllers not using
kerberos and not downlevel or external trust computers?? I would enable
auditing of account logon events in Domain Controller Security Policy and
then look in the security logs of the domain controllers for better info on
what is going on. If you find a problem with a particular computer run the
netdiag support tool on it to see if it reports any pertinent
errors/warnings/failed tests. Using the IP address of the target computer
[instead of name], being more than five minutes difference in time than the
domain controller, blocking of ports needed for AD, and dns misconfiguration
can cause kerberos authentication to fail. NtlmV2 can be a very secure
authentication protocol also and using complex passwords can be more
important in securing the network that the authentication protocol being
used if the choices are kerberos and ntlmv2 though kerberos should be used
by default for W2K/XP Pro/W2003 if the network is configured properly. ---
Steve
"Spin" <Spin@spin.com> wrote in message
news:2vdhemF2j9ofuU1@uni-berlin.de...
> Someone did a sniffer trace bettween Windows 2000 servers and Windows 2000
> domain controllers on our native-mode domain and found at that many of our
> Windows 2000 servers are attempting to communicate using Kerberos to the
> DCs, not negotiating for whatever reason, then falling back to NTLM. Does
> anyone
> know why this might be happening? Using
>
>
- Next message: Fred Hammond: "Re: FileSharing Probelm"
- Previous message: Matt Anderson: "Re: FileSharing Probelm"
- In reply to: Spin: "Kerberos back to NTLM"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
