Kerberos is the protocol of choice in Windows 2000/2003 domains. Kerberos will be initially used on any authentication requests between a Winsows 2000 or higher client and a Windows 2000/2003 resource. If the resource is an NT 4.0 server of if Kerberos fails, the authentication will resort to NTLM. Are you running IPSEC between the frontend server and the backend server? I don't think there is another way to encrypt this traffic.
I searched and could not find a setting to disable NTLM authentication. However, I think this should work. On the OWA server, set a policy to only send NTLM. On the backend server and the domain controllers set a policy to only accept NTLMv2 and reject LM and NTLM. This should stop any NTLM authentication between the OWA server and the Backend Exchange server. Dennis > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Lara Adianto > Sent: Wednesday, September 08, 2004 7:11 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] RPC Netlogon to AD > > >It uses either Kerberos or NTLM based on the best protocol > that can be negotiated >(using >the Negotiate protocol). > >I don't believe you can disable the netlogon. Also, your > question doesn't make >sense to me >as the server IS using > Kerberos (or NTLM) to authenticate the user to >AD. > Oh, I don't know that Netlogon uses either kerberos or NTLM, > ethereal can't parse it, maybe bec it's being sent encrypted. > So, how does it work ? It tries kerberos first and only if > it doesn't work then it will try NTLM ? > > >If you want to ensure you are using Kerberos, you can set > the OWA server > >to only allow Kerberos authentication. This can be set using a group > >policy. > Which policy ? Group Policy --> Computer Configuration --> > Windows Settings -->Security Settings --> Local Policies --> > Security Options --> ? > > Thanks > lara > Lara Adianto <[EMAIL PROTECTED]> wrote: > > Hi list, > > In the process of authenticating a user login to OWA, I > noticed that the front end server use DC RPC RPC_Netlogon to > authenticate the user to AD. However, as the stub data is > encrypted, I couldn't really figure out how the > authentication is actually done. Is it NTLM ? Kerberos ? or > something else ? > > Is there any way to disable RPC_Netlogon authentication > and configure Front End to use kerberos to authenticate the > user to AD ? > > thanks > lara > > > > > -------------------------------------------------------------- > ---------------------- > La vie, voyez-vous, ca n'est jamais si bon ni si > mauvais qu'on croit > - Guy de Maupassant - > > -------------------------------------------------------------- > ---------------------- > > > ________________________________ > > Do you Yahoo!? > Yahoo! Mail Address AutoComplete > <http://us.rd.yahoo.com/mail_us/taglines/aac/*http://promotion s.yahoo.com/new_mail/static/ease.html> - You start. We finish. > > > > -------------------------------------------------------------- > ---------------------- > La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit > - Guy de Maupassant - > -------------------------------------------------------------- > ---------------------- > > ________________________________ > > Do you Yahoo!? > Express yourself with Y! Messenger! Free. Download now > <http://us.rd.yahoo.com/mail_us/taglines/msgr/evt=26089/*http: //messenger.yahoo.com> . > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
