Forcing XP Clients to use NTLM instead of Kerberos Authentication

Forcing XP Clients to use NTLM instead of Kerberos Authentication
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Forcing XP Clients to use NTLM instead of Kerberos Authentication DeadSquirrell 07-11-2006
Posted by =?Utf-8?B?RGVhZFNxdWlycmVsbA== on July 11, 2006, 1:21 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Howdy

We are in the middle of an in-place upgrade from NT4 to Windows 2003 SP1 AD.
We are using the NT4Emulator key as a transitional step to prevent Windows XP
SP1 clients from using Kerberos for a range of reasons. We are about to
neutralize all machines in our upgraded domain which will mean that all
clients will begin
to use Kerberos once their secure channels are reset. We have chosen this
method over simply removing NT4Emulator as it gives us a better back-out
option (i.e. we can selectively back out machines from Keberos without having
rejoin the whole fleet to the domain).

My question is - once we remove the Emulator keys from the Domain
Controllers and all the clients are using Kerberos, is there any way we can
force the clients to use NTLM? The reason I ask is that we are concerned that
Kerberos may break some of our key applications and would like to ensure that
once the emulator is removed, we have an alternative to revert to NTLM
without rejoining everything to the domain.

Regards,
DB

[Note: This is a cross post as the topic was noted as less applicable in the
Windows XP Security newsgroup]



Posted by S. Pidgorny on July 11, 2006, 4:37 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I don't think your reasons are valid. Kerberos won't break your
application - it they are dependant on NTLM, it will be still supported. You
can make Kerberos not working by breaking it (changing KDC location in DNS,
or blocking ports 88 TCP and UDP on the switch, or alike) but the resulting
infrastructure will be, so to say, substandard.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

> Howdy
>
> We are in the middle of an in-place upgrade from NT4 to Windows 2003 SP1
> AD.
> We are using the NT4Emulator key as a transitional step to prevent Windows
> XP
> SP1 clients from using Kerberos for a range of reasons. We are about to
> neutralize all machines in our upgraded domain which will mean that all
> clients will begin
> to use Kerberos once their secure channels are reset. We have chosen this
> method over simply removing NT4Emulator as it gives us a better back-out
> option (i.e. we can selectively back out machines from Keberos without
> having
> rejoin the whole fleet to the domain).
>
> My question is - once we remove the Emulator keys from the Domain
> Controllers and all the clients are using Kerberos, is there any way we
> can
> force the clients to use NTLM? The reason I ask is that we are concerned
> that
> Kerberos may break some of our key applications and would like to ensure
> that
> once the emulator is removed, we have an alternative to revert to NTLM
> without rejoining everything to the domain.
>
> Regards,
> DB
>
> [Note: This is a cross post as the topic was noted as less applicable in
> the
> Windows XP Security newsgroup]
>
>



Posted by =?Utf-8?B?S2FybCBMZXZpbnNvbiBb on July 11, 2006, 10:50 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I don't see any reason why those machines wouldn't be able to use NTLM or
Kerberos. It's not either / or. Many client and server machines use both,
depending on which one is negotiated. If this didn't happen, machines joined
to Kerberos domains wouldn't be able to connect to downlevel clients, and
downlevel NT / 98 systems wouldn't be able to join domains.

Check your Group Policy and Registry settings to see the relevant NTLM /
Kerberos negotiation settings to see that this is true. Most of the settings
involve negotiating authentication protocol from a list of choices.

With Windows 2000, there was an issue where once the client connected to a
Windows 2000 domain, whether NTLM or Kerberos were used, it could no longer
connect to an NT controller. But you just needed to unjoin and rejoin the
client workstations to the domain to go back.

-------------------------
Microsoft Security FAQ:
http://www.securityadmin.info




"DeadSquirrell" wrote:

> Howdy
>
> We are in the middle of an in-place upgrade from NT4 to Windows 2003 SP1 AD.
> We are using the NT4Emulator key as a transitional step to prevent Windows XP
> SP1 clients from using Kerberos for a range of reasons. We are about to
> neutralize all machines in our upgraded domain which will mean that all
> clients will begin
> to use Kerberos once their secure channels are reset. We have chosen this
> method over simply removing NT4Emulator as it gives us a better back-out
> option (i.e. we can selectively back out machines from Keberos without having
> rejoin the whole fleet to the domain).
>
> My question is - once we remove the Emulator keys from the Domain
> Controllers and all the clients are using Kerberos, is there any way we can
> force the clients to use NTLM? The reason I ask is that we are concerned that
> Kerberos may break some of our key applications and would like to ensure that
> once the emulator is removed, we have an alternative to revert to NTLM
> without rejoining everything to the domain.
>
> Regards,
> DB
>
> [Note: This is a cross post as the topic was noted as less applicable in the
> Windows XP Security newsgroup]
>
>

Similar ThreadsPosted
[Gina]How to use Kerberos instead of NTLM ? April 27, 2006, 9:30 am
Event log shows NTLM not Kerberos August 24, 2006, 3:00 am
NTLM Authentication, Part Server / Domain Controller October 7, 2008, 11:43 am
How to set up Kerberos authentication? (some code :) August 18, 2005, 5:55 pm
Kerberos pre authentication question June 30, 2006, 9:21 am
Kerberos Authentication in Mixed environment January 10, 2006, 12:41 pm
Intermittent Kerberos authentication failure June 14, 2007, 2:26 pm
Kerberos with Windows Integrated authentication January 2, 2009, 6:58 am
Kerberos with "Selective Authentication" over forest Trust October 30, 2006, 10:12 am
Forcing users to log into Domain account when in workplace May 19, 2007, 3:14 am

The site map in XML format XML site map

Contact Us | Privacy Policy