Re: Kerberos to NTLM???
From: Roland Hall (nobody_at_nowhere)
Date: 11/11/04
- Next message: Jim Van Sickle: "Re: tool for adding groups to ntfs and shares ?"
- Previous message: Rocky: "RE: How to Block one incoming IP"
- In reply to: Spin: "Re: Kerberos to NTLM???"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 11 Nov 2004 15:51:34 -0600
: "Roland Hall" <nobody@nowhere> wrote in message
: news:#TaSmacxEHA.1300@TK2MSFTNGP14.phx.gbl...
: > "Spin" wrote in message news:2v9u2bF2irtofU1@uni-berlin.de...
: > : Someone did a sniffer trace bettween Windows 2000 servers and Windows
: 2000
: > : domain controllers on our network and found at that many of our
Windows
: > 2000
: > : servers are attempting to communicate using Kerberos to the DCs, not
: > : negotiating for whatever reason, then falling back to NTLM. Does
anyone
: > : know why this might be happening?
: > :
: > Are they in native mode?
"Spin" wrote in message news:2vcgp4F2komq7U1@uni-berlin.de...
: Yes.
It is by design if Kerberos authentication fails, NTML authentication is
then attempted.
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en-us/deploy/dgbf_upg_lgrl.asp
Perhaps this offers some insight as to why this is happening:
Full article:
http://www.windowsecurity.com/articles/Deciphering-Authentication-Events-Domain-Controllers.html
Excerpt:
Windows 2000 and 2003 domain controllers support Kerberos and NTLM
authentication protocols. When a Windows 2000 or later computer needs to
find out if a domain account is authentic the computer first tries to
contact the DC via Kerberos. If it doesn't receive a reply it falls back to
NTLM. In an AD forest comprising computers running Windows 2000 and later
all authentication between workstations and servers should be Kerberos.
Windows 2000 and later domain controllers log different event IDs for
Kerberos and NTLM authentication activity so it's easy to distinguish them.
In an AD forest of Windows 2000 or later computers, any NTLM authentication
events you see on domain controllers can only have a few explanations.
First, Windows will fall back to NTLM if routers for some reason block
Kerberos traffic (UDP port 88). Second, if your domain trusts another domain
outside your forest (defined in Active Directory Domains and Trusts) you'll
see NTLM events on you domain controllers since Kerberos doesn't work for
external trust relationships. (Note: Windows Server 2003 supports a new type
of trust call cross forest trusts. A cross forest trust is a transitive,
2-way trust between 2 Windows Server 2003 domains. Cross forest trusts use
Kerberos - not NTLM.) The third explanation for NTLM events on your domain
controller's security log are rogue computers. Contrary to popular
misconception, Windows does not prevent a user at a computer from an
un-trusted domain or stand-alone computer (Windows computer that doesn't
belong to any domain) from connecting to a server in your domain using a
domain account. To prove this just map a drive to a computer in an
untrusting domain using the "net use" command. For instance in the below
example I connect to a file server called NYC-FS-1 in the NYC domain using
the domain Administrator account and a password of #dk32HE4.
-- Roland Hall /* This information is distributed in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose. */ Online Support for IT Professionals - http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech How-to: Windows 2000 DNS: http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201 FAQ W2K/2K3 DNS: http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382
- Next message: Jim Van Sickle: "Re: tool for adding groups to ntfs and shares ?"
- Previous message: Rocky: "RE: How to Block one incoming IP"
- In reply to: Spin: "Re: Kerberos to NTLM???"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
