Question

When SSPI is in "negociate mode", NTLM seems to be the favorite one (a legacy story). But when and why SSPI will consider (and pick) Kerberos ?

(As far as I can see, when a client and server are on the same machine, NTLM is picked out)

Was it helpful?

Solution

Kerberos is preferred over NTLM and used whenever it's possible, i.e:

  • client machine is logged into Active Directory
  • client machine can access DNS
  • DNS contains A record (not CNAME-alias) - for server, which client wants to access (both forward and backward), so that web browser could transform it into correct SPN
  • no duplicated SPNs
  • webserver runs on another machine than client webbrowser
  • there must be at least one encoding type, which both machines support (defined in krb5.ini)
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top