KB N° 2600: DIFFERENCES BETWEEN KERBEROS AND NTLM
NLTM uses a challenge-response mechanism. The client sends a request and the proxy requests authentication. The client then returns the same request along with its login identifiers. Kerberos uses symmetric-key cryptography to ensure secure communication between two hosts.
Context
Differences between NTLM and Kerberos:
NTLM
NTLM is a Microsoft authentication method used with Microsoft Active Directory networks.
NTLM uses a challenge-response mechanism. The client sends a request and the proxy requests authentication. The client then returns the same request along with its login identifiers. You will be able to see two HTTP 407 codes in the access.log file (authentication error/authentication request), followed by access to the resource.
Kerberos
Kerberos uses symmetric-key cryptography to ensure secure communication between two hosts. Communications are carried out using a shared secret key. As the cryptographic algorithms used are public (AES, DES, 3DES, etc.), the security of the system is entirely determined by the confidentiality of this encryption key.
In order to manage this system, Kerberos uses a trusted third party which provides users with keys and subscribed services (principals). A Kerberos server is a type of KDC (Key Distribution Center).
Kerberos is a secure service that ensures the confidentiality and integrity of data, as well as ensuring non-repudiation (all participants are identified, including the server, unlike with NTLM). The authentication service ensures the unique identification of the customer and provides a session ticket which it can use to request tickets for the use of kerberised services. Each service ticket consists of a session ticket encrypted with the kerberised service key. The Kerberos service can be divided into two distinct functions:
- Authentication service
- Issuing of service tickets
Kerberos was developed at MIT in the 1990s. Today, it is widely deployed and is available for all major operating systems (Linux, Windows, Mac OS, etc.).
Steps
In order to implement an integration with NTLM or Kerberos authentication, the following configuration settings must be specified in Olfeo webadmin:
- A directory must be specified under Configuration > Authentication > Directory. Make sure that the Domain and Workgroup fields in the Domain section are populated.
- Enter a domain controller as the DNS server, or a DNS that can correctly resolve DNS requests for the Olfeo machine.
- Specify an NTP server: either the domain controller (if it is an NTP server), or the NTP server configured for the domain controller.
- Define the link to the Windows domain under Configuration > Authentication >Link to Windows domain.
Enter the login and password for an account with the appropriate rights(add_workstation).
If successful, you should see the name of your AD server under status (LDAP server name: server.domain.tld).
Once linked, you can choose between NTLM and Kerberos authentication.
- NTLM Authentication can be used at two levels:
- Explicit proxy
- NTLM captive portal
- Kerberos can be used with an explicit proxy integration.
Validation
To verify the correct functioning of NTLM or Kerberos from a command line prompt:
NTLM
Various associated commands:
- #>wbinfo -t: Checks the link to the domain
- #>wbinfo -u: Lists the domain users
- #>wbinfo -g: Lists the domain groups
- #>wbinfo -trusted-domains: Lists the servers with trusted relationships
- #>/usr/bin/ntlm_auth -helper-protocol=squid-2.5-basic user password: Allows you to test NTLM authentication in basic mode (login + password).
The return codes here are straightforward:
- OK, when login and password are both valid
- ERR, when login and/or password are not valid.
Configuration files:
- /etc/samba/smb.conf
- /etc/krb5.conf
Kerberos
Unlike NTLM mode, with Kerberos users must target the FQDN name and not the Proxy IP address.
Check that the keytab file exists:
#>ls /etc/squid3/HTTP.keytab
Various related commands:
- #>wbinfo -t: Checks the link to the domain
- #>wbinfo -u: Lists the domain users
- #>wbinfo -g: Lists the domain groups
- #>wbinfo -trusted-domains: Lists all servers with trusted relationships
- #>wbinfo -K user%password: Allows manual testing of Kerberos authentication
The relevant configuration files are as follows:
- /etc/samba/smb.conf
- /etc/krb5.conf