Search code examples
active-directorykerberossspintlmv2

SSPI negociation dilemma


When SSPI is in "negociate mode", NTLM seems to be the favorite one (a legacy story). But when and why SSPI will consider (and pick) Kerberos ?

(As far as I can see, when a client and server are on the same machine, NTLM is picked out)


Solution

  • Kerberos is preferred over NTLM and used whenever it's possible, i.e:

    • client machine is logged into Active Directory
    • client machine can access DNS
    • DNS contains A record (not CNAME-alias) - for server, which client wants to access (both forward and backward), so that web browser could transform it into correct SPN
    • no duplicated SPNs
    • webserver runs on another machine than client webbrowser
    • there must be at least one encoding type, which both machines support (defined in krb5.ini)