skip to main content

Authentication & Authorization Services

AD DS NetID authN Domain

Supported Authentication Mechanisms

Kerberos

Kerberos was introduced with Windows 2000 and is Microsoft's preferred authentication mechanism. Windows 2000, XP, Server 2003, Vista, Server 2008, 7, and Server 2008 R2 will use Kerberos when they are communicating with Active Directory Domain Services and the members of Active Directory.

NTLMv2

NTLMv2 was first released with Windows NT 4.0 SP4.

Computers with Microsoft Windows 3.11, Windows 95, Windows 98 or Windows NT 4.0, SP3 or earlier do not have the NTLMv2 protocol out of the box. Windows 95, 98 and pre-SP4 NT 4.0 could be enabled to support NTLMv2 by installing the "Active Directory Client Extension".


Authentication Mechanisms that are Not Supported

NTLMv1

NTLMv1 relies on DES, a very weak encryption algorithm. The NetID authetication domain will not accept authentication requests sent via the NTLMv1 protocol. Due to reliance on this very old authentication mechanism, some systems cannot utilize the NetID authentication domain. Impacted systems are:

  • Inbound authentication from Windows 95 or Windows 98 clients that do not have the Directory Services Client installed.
  • RRAS servers running versions of Windows prior to Windows Server 2003 Service Pack 1.
  • Any RAS server that needs to process MS-CHAPv1.
  • Clustered computers running versions of Windows prior to Windows Server 2003 Service Pack 1. Clusters use RPC over UDP, and RPC over UDP cannot use NTLMv2 by default. This was resolved in Service Pack 1.
  • Some third-party hardware devices that have an SMB server built in may not be able to authenticate.

References

http://www.windowsecurity.com/articles/Protect-Weak-Authentication-Protocols-Passwords.html

http://technet.microsoft.com/en-us/library/cc512606.aspx