Question

Locked

Mapping drive - XP to DC secured folder - What Authentication used?

By ltek.llc ·
1) Using NET USE or WSHNetwork.MapNetworkDrive (vbscript / wscript)
2) XP Pro (SP2) in a workgroup, not in a domain.
3) Mapping drive to a secured folder within Netlogon share on a DC, in a domain

When we pass name/pw creds, does it use Kerberos or NTLM (V1 or V2)?

If not Kerberos, is there a way to force it to use Kerberos?

thx!

This conversation is currently closed to new comments.

6 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

RE: Mapping drive - XP to DC secured folder - What Authentication used?

by Jacky Howe In reply to Mapping drive - XP to DC ...

Have a look here it explains how to use Kerberos.

http://searchwinit.techtarget.com/tip/0,289483,sid1_gci1251636,00.html

Collapse -

I appreciate the post but I don't see where this answers the questions...

by ltek.llc In reply to RE: Mapping drive - XP to ...

1) By default, is NTLM used between a non-domain client and a DC when mapping a share (located on the DC) using domain user credentials?

2) Is it possible to use Kerberos instead of NTLM.

Collapse -

RE: I appreciate the post but I don't see where this answers the questions

by Jacky Howe In reply to I appreciate the post but ...

1. Kerberos is a protocol that, prior to Windows 2000 Server, Windows NT admins could ignore. At that time, Microsoft used NTLM for authentication, which was fine for the Windows world -- but nowhere else.

Kerberos = Default

2. Your application should not access the NTLM security package directly; instead, it should use the Negotiate security package. Negotiate allows your application to take advantage of more advanced security protocols if they are supported by the systems involved in the authentication. Currently, the Negotiate security package selects between Kerberos and NTLM. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication.
Reference.
http://msdn2.microsoft.com/en-us/library/aa378749.aspx

Collapse -

I don't beleive Kerberos is Default with non-Domain clients

by ltek.llc In reply to RE: I appreciate the post ...

I've been doing a lot more research and from several other sources, posts, articles, etc... it seems that NTLM is used by default if the client is not a member of the domain.

Is there a windows security expert that can chime in?

Collapse -

RE: I don't beleive Kerberos is Default with non-Domain clients

by Jacky Howe In reply to I don't beleive Kerberos ...

Defaulting to Kerberos

NT LAN Manager is the authentication protocol used in Windows NT and in Windows 2000 work group environments. It is also employed in mixed Windows 2000 Active Directory domain environments that must authenticate Windows NT systems. At the stage Windows 2000 is converted to native mode where no down-level Windows NT domain controllers exist, NT LAN Manager is disabled. Kerberos then becomes the default authentication technology for the enterprise.
Microsoft introduced Kerberos as the new default authentication protocol for enterprise environments in Windows 2000. Every Windows 2000, Windows XP and Windows Server 2003 OS platform includes a client Kerberos authentication provider. Neither Windows 2000 nor Windows Server 2003 includes Kerberos support for other legacy Microsoft platforms. Your NT4, Windows 95 or 98 clients will not be able to authenticate using Kerberos -- you'll need to upgrade these workstations to either Windows 2000 Professional or Windows XP. In the early days of Windows 2000, Microsoft promised to include Kerberos support for Windows 95 and 98 in the "Directory Services Client" (dsclient.exe), an add-on for Windows 95 and 98 that can be found on the Windows 2000 Server CD.

Reference:
http://searchwindowssecurity.techtarget.com/originalContent/0,289142,sid45_gci1009597,00.html
Reference:
http://technet.microsoft.com/en-us/library/bb742516.aspx

Back to Hardware Forum
6 total posts (Page 1 of 1)  

Related Discussions

Related Forums