Kerberos v's NTLM authentication
-
Wednesday, December 19, 2007 4:24 PM
What are the pros and cons of Kerberos v's NTLM authentication when creating new site collections?
All the best
Answers
-
Thursday, December 20, 2007 12:56 AM
Overall you will experience faster performance when using Kerberos. You are eliminating double hops. You can also with MOSS 2007 utilize RSS feeds "Within your SharePoint Environment" If your planning on utilizing BDC some LOB Applications will require Kerberos authentication.
Cons - Think through your SPN's carefully and PLAN PLAN PLAN your implementation. DO NOT RUSH IN. You will end up pulling your hair out or calling Microsoft Support due usually to something stupid like a misconfigured SPN or a duplicate SPN
Other Cons - Difficult to troubleshoot. Generally I look for 540 entries in my Security log to see the method of authentication being used. I will also as stated earlier throw on a RSS Web Part onto a page and capture one of my document libraries that im a member of. Generally i will do this on MySite.
Another common think i see is a constant authentication prompt that just wont go away. This is usually a sign of problems in a Kerberos environment.
My advise. If your going to go this route and utilize Kerberos and run into issues push through those issues. You made the decision so fight through the problem. Its worth it in the end. Trust me on this.
Although there isnt a wealth of information generated by Microsoft on Kerberos and SharePoint there are a few blogs that will point you in some right directions.
Search for myself, Spence Harbar and Martin Kearns to obtain information from our blog posts.
Good luck
All Replies
-
Wednesday, December 19, 2007 5:23 PM
Can't use RSS with NTLM.
-
Wednesday, December 19, 2007 5:36 PMRSS works fine for us with NTLM authentication. Depends on your method of access for the RSS feed I assume. Accessing SharePoint RSS from Outlook/IE works perfectly.
-
Wednesday, December 19, 2007 5:40 PMThe biggest things we need to watch out for using NTLM is the Excel Services and SQL Reporting Services Integration settings.
-
Wednesday, December 19, 2007 5:54 PM
Hmm... I've read a bunch of things last week which stated RSS wouldn't work in NTLM authentication...
-
Wednesday, December 19, 2007 6:08 PM
Are you currently using SPS2003 or MOSS for your NTLM authentication?
Are you using built-in RSS or a 3rd party?
-
Thursday, December 20, 2007 12:44 AMYes thats fine but what is desired is the ability to pull RSS content from one site to another within your SharePoint Environment. WIthout Kerberos Authentication this is not possible.
-
Thursday, December 20, 2007 12:56 AM
Overall you will experience faster performance when using Kerberos. You are eliminating double hops. You can also with MOSS 2007 utilize RSS feeds "Within your SharePoint Environment" If your planning on utilizing BDC some LOB Applications will require Kerberos authentication.
Cons - Think through your SPN's carefully and PLAN PLAN PLAN your implementation. DO NOT RUSH IN. You will end up pulling your hair out or calling Microsoft Support due usually to something stupid like a misconfigured SPN or a duplicate SPN
Other Cons - Difficult to troubleshoot. Generally I look for 540 entries in my Security log to see the method of authentication being used. I will also as stated earlier throw on a RSS Web Part onto a page and capture one of my document libraries that im a member of. Generally i will do this on MySite.
Another common think i see is a constant authentication prompt that just wont go away. This is usually a sign of problems in a Kerberos environment.
My advise. If your going to go this route and utilize Kerberos and run into issues push through those issues. You made the decision so fight through the problem. Its worth it in the end. Trust me on this.
Although there isnt a wealth of information generated by Microsoft on Kerberos and SharePoint there are a few blogs that will point you in some right directions.
Search for myself, Spence Harbar and Martin Kearns to obtain information from our blog posts.
Good luck
-
Tuesday, February 12, 2008 5:34 PMjust wanted to clarify something here:
" If your planning on utilizing BDC some LOB Applications will require Kerberos authentication."
that's not true.
i am running BDC successfully in an NTLM environment...using Single Sign-On. -
Tuesday, February 12, 2008 11:31 PM
Good for you but please note in my statement that "Some" LOB Applications will require Kerberos Authentication. Sorry but this is a true statement.
-
Tuesday, March 24, 2009 12:15 PMTo NETDEV: Can you point me to a post which confirms RSS with NTLM in MOSS 2007? I haven't come across any after searching a lot, but maybe I'm missing something?
-
Friday, September 18, 2009 7:45 AMhi,
it is pleasure to get your help.
when i open office sharepoint search function in ths central administration v3,i can't open the setting page,searchserviceinstancesettings.aspx.
after then, i use stsadm command start the search function in the console.
but in the event view equipment
Microsoft.Office.Server.Search.Administration.SearchServiceInstance
HTTP 401 Unauthorized
why?
thank you for your reply!! -
Tuesday, July 13, 2010 9:13 AM
what about excel services reading from analysis services? only kerberos works?
thx
Gabriel
.png){kind=spacer}
