KB N°2440: DIFFERENCES BETWEEN KERBEROS AND NTLM
NTLM uses a challenge-response mechanism. The client sends a request, the proxy asks it to authenticate itself, and the client sends the same request with its login credentials. Kerberos uses a symmetrical encryption system to ensure secure dialogue between two protagonists.
Context
Differences between NTLM and Kerberos :
NTLM
NTLM is an authentication method used in proprietary Microsoft Active Directory networks.
NTLM uses a challenge-response mechanism. The client sends a request, the proxy asks it to authenticate itself, and the client sends the same request with its login credentials. We then see two 407s (1.authentication error, 2.authentication request), followed by access to the resource.
Kerberos
Kerberos uses a symmetrical encryption system to ensure secure dialog between two protagonists. Dialogues take place using a secret, shared key. Encryption algorithms are public (AES, DES, 3DES...), and the system's security is based on the confidentiality of the encryption key.
To facilitate the management of such a system, Kerberos relies on the use of a trusted third party to distribute keys to subscribing users and services (principals). A Kerberos server is called a KDC (Key Distribution Center).
Kerberos is a secure service that guarantees confidentiality, data integrity and non-repudiation (unlike NTLM, all participants are identified, including the server). The authentication service uniquely identifies the client and provides him with a session ticket that he can use to request tickets for Kerberized services. A session ticket encrypted with the key of a kerberized service constitutes a service ticket. A Kerberos service can be divided into two functionalities:
- authentication service
- the service ticketing service.
Kerberos was developed at MIT in the 1990s, and is now widely deployed and available in all environments used today (Linux, Windows, Mac OS, etc.).
Steps
To integrate with NTLM or Kerberos authentication, you must first join your Olfeo to the AD domain:
- Declare a directory in Settings > Authentication > Directory. Make sure you fill in the Domain section (Domain + Workgroup).
- Set the DNS server to the domain controller or a DNS that can correctly resolve DNS requests for the Olfeo machine.
- To set an NTP server, choose either the domain controller or the same NTP server as the domain controller.
- Connect to the domain in Settings > Authentication >Join Windows domain.
Here, enter the login and password of an account with rights (add_workstation).
If all has gone well, you should see your AD server name in the status(LDAP server name: serveur.domaine.tld).
Once the connection has been made, you can choose between NTLM or Kerberos authentication.
- NTLM can be used on two levels:
- explicit proxy
- NTLM captive portal
- Kerberos can be used with explicit proxy integration
Validation
To check the correct operation of NTLM or Kerberos on the command line :
NTLM
Various related commands:
- #>wbinfo -t : Checks for correct domain connection
- #>wbinfo -u: Retrieves domain users
- #>wbinfo -g: Retrieves domain groups
- #>wbinfo -trusted-domains : Retrieves servers with approval relationships
- #>/usr/bin/ntlm_auth -helper-protocol=squid-2.5-basic user mdp: Tests NTLM authentication in basic mode (login + mdp).
Here, the return codes are simple:
- OK, when the login/mdp pair is valid.
- ERR, when the login/mdp pair is invalid.
The configuration files are :
- /etc/samba/smb.conf
- /etc/krb5.conf
Kerberos
Unlike NTLM mode, with Kerberos users must target the FQDN name and not the Proxy IP address.
Check that the keytab file is present.
#>ls /etc/squid3/HTTP.keytab
Various related commands:
- #>wbinfo -t : Checks for correct domain connection
- #>wbinfo -u: Retrieves domain users
- #>wbinfo -g: Retrieves domain groups
- #>wbinfo -trusted-domains : Retrieves servers with approval relationships
- #>wbinfo -K user%password : Allows you to test Kerberos authentication manually
The configuration files are :
- /etc/samba/smb.conf
- /etc/krb5.conf