The subject of Kerberos authentication is large—entire books have
been written about it—but here's a quick explanation of why Kerberos
works better than NT LAN Manager (NTLM). When you configure the user
account and the server to be trusted for delegation and you use
Kerberos, any server component that the user invokes enjoys full network
access (which is called delagation). If the client is logged on
to a domain, the browser never prompts the user for credentials; it
simply uses the user's default logon credentials.
If your domain doesn't use Active Directory (AD) or if the user's browser doesn't support Kerberos, Integrated Windows authentication falls back to NTLM authentication (which was available in IIS 4.0). With NTLM authentication, however, server components have only limited network access.
When you specify Integrated Windows authentication on the Administration Web Site, determining whether the connection was authenticated with Kerberos or NTLM is difficult. The Microsoft article "Determining the Authentication Method with Internet Information Services 5.0" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q241835) provides information to help you determine the method in IIS 5.0.
Original Post
If your domain doesn't use Active Directory (AD) or if the user's browser doesn't support Kerberos, Integrated Windows authentication falls back to NTLM authentication (which was available in IIS 4.0). With NTLM authentication, however, server components have only limited network access.
When you specify Integrated Windows authentication on the Administration Web Site, determining whether the connection was authenticated with Kerberos or NTLM is difficult. The Microsoft article "Determining the Authentication Method with Internet Information Services 5.0" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q241835) provides information to help you determine the method in IIS 5.0.
Original Post
No comments:
Post a Comment