Saturday, June 19, 2010

Advantages of Kerberos over NTLM

As you may know, prior to Windows 2000, NTLM was the primary authentication protocol in Windows Server, and Windows 2000 onwards and beyond, Microsoft made Kerberos the native authentication protocol.

The Kerberos protocol is obviously not only an industry standard but as such offers numerous advantages over NTLM, some of which include -
  • Mutual Authentication - This means that not only can clients authenticate to a server, but that the client can request that the server too authenticate itself to the client, and this undoubtedly helps enhance security by ensuring that clients authenticate themselves to genuine servers.

  • Faster Authentication -The use of the TGTs substantially enhances the speed with which authentication can take place in distributed systems, and this certainly facilitates more efficient and secure network accesses across the enterprise.

  • Support for Delegation - Kerberos enabled security delegation, which essentially allows a server to impersonate a client when accessing remote resources, and this really helps provide trustworthy security in multi-tier application scenarios.

  • Support for PKI Integration - Through the Kerberos PKINIT extension, Kerberos provides support for smartcard logons, and this substantially enhances security because it obviates the need for passwords, allowing the use of smart-cards in lieu.

All in all, Kerberos really makes Windows Server powerful enough to provide enterprise grade distributed security, and in fact today its use is so ubiquitous and prevalent across the world.