If Kerberos authentication fails, does it always fall back to NTLM?

Question

If Kerberos authentication fails, does it always fall back to NTLM?

I have gone through many blogs that say that if Kerberos fails then it automatically falls back to NTLM. Is this true?

+2

java sharepoint kerberos

Carol 12 oct. 09 at 16:15

source to share

3 answers

Nico · Answer 1 · 2009-10-12T18:45:33+0000

Yes, this is the case if you have configured Kerberos through central administration.
You should have "Negociate, NTLM" in the IIS metabase.

Christopher G. Lewis · Answer 2 · 2009-10-14T14:45:37+0000

This is actually a pretty big question with Kerberos. Yes, Negotiate will choose between Kerberos and NTLM, but that's one time. This is not a failover authentication. Therefore, if Kerberos authentication fails, the server will not specifically send new client NTLM authentication.

Pat gonzalez · Answer 3 · 2009-11-05T09:55:30+0000

I think the client decides what to send and the server just accepts or rejects. Depending on what the server is asking for, the client may or may not be able to complete. So if the server says "Negotiate", the client can send NTLM token or Kerberos token ...?

If you are writing a server that needs to authenticate clients via Kerberos, you can specify if you want to accept or reject the token, or ask the client to re-use some other scheme ... for example Basic (not recommended).

If you are writing a client, simply submit which token you want (NTLM or Kerberos) and the server will tell you what to do next (if anything, the server can accept).

Take a look at this open source project http://spnego.sourceforge.net The project implements the SPNEGO Http servlet filter as well as the SpnegoHttpURLConnection object.

If Kerberos authentication fails, does it always fall back to NTLM?

More articles: