Blog
The Blog

KB N°2440: DIFFERENCES BETWEEN KERBEROS AND NTLM

KB Olfeo On-Premise
June 2, 2023

NTLM uses a challenge-response mechanism. The client sends a request, the proxy asks it to authenticate itself, and the client sends the same request with its login credentials. Kerberos uses a symmetrical encryption system to ensure secure dialogue between two protagonists.

Context

Differences between NTLM and Kerberos :

NTLM

NTLM is an authentication method used in proprietary Microsoft Active Directory networks.

NTLM uses a challenge-response mechanism. The client sends a request, the proxy asks it to authenticate itself, and the client sends the same request with its login credentials. We then see two 407s (1.authentication error, 2.authentication request), followed by access to the resource.

Kerberos

Kerberos uses a symmetrical encryption system to ensure secure dialog between two protagonists. Dialogues take place using a secret, shared key. Encryption algorithms are public (AES, DES, 3DES...), and the system's security is based on the confidentiality of the encryption key.

To facilitate the management of such a system, Kerberos relies on the use of a trusted third party to distribute keys to subscribing users and services (principals). A Kerberos server is called a KDC (Key Distribution Center).

Kerberos is a secure service that guarantees confidentiality, data integrity and non-repudiation (unlike NTLM, all participants are identified, including the server). The authentication service uniquely identifies the client and provides him with a session ticket that he can use to request tickets for Kerberized services. A session ticket encrypted with the key of a kerberized service constitutes a service ticket. A Kerberos service can be divided into two functionalities:

  • authentication service
  • the service ticketing service.

Kerberos was developed at MIT in the 1990s, and is now widely deployed and available in all environments used today (Linux, Windows, Mac OS, etc.).

Steps

To integrate with NTLM or Kerberos authentication, you must first join your Olfeo to the AD domain:

  1. Declare a directory in Settings > Authentication > Directory. Make sure you fill in the Domain section (Domain + Workgroup).
  2. Set the DNS server to the domain controller or a DNS that can correctly resolve DNS requests for the Olfeo machine.
  3. To set an NTP server, choose either the domain controller or the same NTP server as the domain controller.
  4. Connect to the domain in Settings > Authentication >Join Windows domain.

    Here, enter the login and password of an account with rights (add_workstation).

Please note that joining to the domain may take a little time, and may have to be done twice (writing configuration files).

If all has gone well, you should see your AD server name in the status(LDAP server name: serveur.domaine.tld).

Once the connection has been made, you can choose between NTLM or Kerberos authentication.

  • NTLM can be used on two levels:
    • explicit proxy
    • NTLM captive portal
  • Kerberos can be used with explicit proxy integration
Fully qualified machine name required!!! (See proxy integration)

Validation

To check the correct operation of NTLM or Kerberos on the command line :

NTLM

Various related commands:

  • #>wbinfo -t : Checks for correct domain connection
  • #>wbinfo -u: Retrieves domain users
  • #>wbinfo -g: Retrieves domain groups
  • #>wbinfo -trusted-domains : Retrieves servers with approval relationships
  • #>/usr/bin/ntlm_auth -helper-protocol=squid-2.5-basic user mdp: Tests NTLM authentication in basic mode (login + mdp).

    Here, the return codes are simple:

    • OK, when the login/mdp pair is valid.
    • ERR, when the login/mdp pair is invalid.

The configuration files are :

  • /etc/samba/smb.conf
  • /etc/krb5.conf
WARNING: The machine hostname cannot exceed 15 characters.

Kerberos

Unlike NTLM mode, with Kerberos users must target the FQDN name and not the Proxy IP address.

Check that the keytab file is present.

#>ls /etc/squid3/HTTP.keytab

Various related commands:

  • #>wbinfo -t : Checks for correct domain connection
  • #>wbinfo -u: Retrieves domain users
  • #>wbinfo -g: Retrieves domain groups
  • #>wbinfo -trusted-domains : Retrieves servers with approval relationships
  • #>wbinfo -K user%password : Allows you to test Kerberos authentication manually

The configuration files are :

  • /etc/samba/smb.conf
  • /etc/krb5.conf