On Thu, Oct 16, 2008 at 9:16 PM, Lim, Melvin <[EMAIL PROTECTED]> wrote: > Hi > > I would like to double confirm where did the Kerberos fallback to NTLM > taking place, > > > > 1. The fallback taking place while negotiation > > 2. The fallback taking place after the negotiation
Hi Melvin, First, you should realize that you're asking about a largely Microsoft Windows specific issue whereas this is a Kerberos-only mailing list (albeit gracious to MS specific questions). Other than both being authentication protocols, NTLM and Kerberos are not related. Anyway, the answer to your question is option "0". Meaning a Windows client will fall back to NTLM if it cannot perform Kerberos for any reason. That evaluation occurs before any "negotiation" with the target. Specifically, when a Windows client decides that it is to perform SSPI style authentication, it tries to acquire a Kerberos ticket for the desired service. There are a number of points where that acquisition can fail. The client may not be joined to the domain, it may not have adequate communication with the KDC, the service account may not be setup correctly, etc. If any of these things fail, the client will then try NTLM. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
