Jorge 's Quest For Knowledge!

Kerberos authentication is always used when:

• Both endpoints are at least W2K or higher
  AND
• In case of a trust, Kerberos is supported

Kerberos is supported within an AD forest and between AD forests when a forest trust is used.

In all other cases NTLM authentication is used.

Let's say you have the following layout:

• Domain A
• Multiple DCs
• Clients and servers
• Domain B
• Multiple DCs
• Clients and servers
• Domain A trusts Domain B and vice versa

If NTLM is used the order of authentication is:

1. CLIENT-DOMAIN_A wants to access MEMBERSRV-DOMAIN_B
2. CLIENT-DOMAIN_A connects to MEMBERSRV-DOMAIN_B
3. MEMBERSRV-DOMAIN_B connects to a DC in DOMAIN_B and asks do you know: CLIENT-DOMAIN_A
4. The DC in DOMAIN_B says NO, but I do trust DOMAIN_A. Let me check.
5. A DC in DOMAIN_B connects to a DC in DOMAIN_A and asks do you know: CLIENT-DOMAIN_A
6. The DC in DOMAIN_A says: yes, it's OK
7. The DC in DOMAIN_B sets up an access token for domain B for CLIENT-DOMAIN_A.
8. CLIENT-DOMAIN_A accesses MEMBERSRV-DOMAIN_B

If KERBEROS is used the order of authentication is:

1. CLIENT-DOMAIN_A wants to access MEMBERSRV-DOMAIN_B
2. CLIENT-DOMAIN_A connects to a DC in DOMAIN_A and asks for a ticket to access MEMBERSRV-DOMAIN_B
3. The DC in DOMAIN_A says: let me check, just a sec.
4. The DC in DOMAIN_A says: that server does not exist within the domain or the forest. However I do have a trust with DOMAIN_B. Go to a DC in DOMAIN_B
5. CLIENT-DOMAIN_A connects to a DC in DOMAIN_B and asks for a ticket to access MEMBERSRV-DOMAIN_B
6. The DC in DOMAIN_B says: let me check, just a sec.
7. The DC in DOMAIN_B says: here's your ticket and access token. have fun
8. CLIENT-DOMAIN_A accesses MEMBERSRV-DOMAIN_B

More information can be found in the following MS articles:

• Kerberos Authentication in Windows Server 2003
• Kerberos Explained
• What's New in Windows Server 2003 Kerberos Authentication
• Kerberos Authentication Technical Reference
• How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000
• Troubleshooting Kerberos Errors
• How to enable Kerberos event logging
• Kerberos authentication may not work if user is a member of many groups
• Basic Overview of Kerberos User Authentication Protocol in Windows 2000
• How to make sure that you are using Kerberos authentication when you create a remote connection to an instance of SQL Server 2005
• Answers to frequently asked Kerberos questions
• Kerberos authentication and troubleshooting delegation issues
• Kerberos protocol registry entries and KDC configuration keys in Windows Server 2003
• Troubleshooting Kerberos Delegation
• How to enable NTLM 2 authentication
• Microsoft NTLM
• Authentication Problems in Windows 2000 with NTLM 2 Levels Above 2 in a Windows NT 4.0 Domain
• Windows Server 2003 Service Pack 1 modifies NTLM network authentication behavior
• You receive an "Error 0x8007042b" error message when you add or join a node to a cluster if you use NTLM version 2 in Windows Server 2003
• NTLM authentication may stop unexpectedly in Windows 2000
• NTLM user authentication in Windows

Cheers,

Jorge

------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------------