NTLM vs Kerberos using in SharePoint – Decision making

Using Kerberos for SharePoint Authentication:

Although SharePoint offers multiple authentication options and authentication zones, the two most common choices for enterprise implementations in intranet scenarios are NTLM and Kerberos. Both of these protocols are used with Integrated Windows authentication in a classic challenge/response scheme. NTLM relies on IIS generating a token with a challenge, sending it to the client, the client responding with a token, and a domain controller validating that response. NTLM requires user names and passwords to be encrypted before they are transmitted, and also requires re-authentication (a new token) when accessing a new network resource. Kerberos, on the other hand, relies on a ticketing system where a client and server access a trusted authority called a Key Distribution Center (KDC), which responds to client requests and grants tickets that the client can use to access network resources. Kerberos does not require re-authentication for accessing multiple resources.

NTLM Authentication: Challenge- Response mechanism:

In the NTLM protocol, the client sends the user name to the server; the server generates and sends a challenge to the client; the client encrypts that challenge using the user’s password; and the client sends a response to the server.If it is a local user account, server validate user’s response by looking into the Security Account Manager; if domain user account, server forward the response to domain controller for validating and retrive group policy of the user account, then construct an access token and establish a session for the use.

Kerberos authentication: Trust-Third-Party Scheme

Kerberos authentication provides a mechanism for mutual authentication between a client and a server on an open network.The three heads of Kerberos comprise the Key Distribution Center (KDC), the client user and the server with the desired service to access. The KDC is installed as part of the domain controller and performs two service functions: the Authentication Service (AS) and the Ticket-Granting Service (TGS). When the client user log on to the network, it request a Ticket Grant Ticket(TGT) from the AS in the user’s domain; then when client want to access the network resources, it presents the TGT, an authenticator and Server Principal Name(SPN) of the target server, contact the TGS in the service account domain to retrive a session ticket for future communication w/ the network service, once the target server validate the authenticator, it create an access token for the client user.

When to use Kerberos?

Kerberos is required if you are going to use certain features like SQL Server Reporting Services, Outlook Web Access, Performance Point, etc. where the user’s request to SharePoint has to be forwarded to a subsequent system; a process known as “the double hop”.