locked
How come the infrastracture tunnel uses NTLMv2 while the intranet tunnel uses Kerberos? RRS feed

Answers

  • Hi RossJG,

    My take on this is.. it was designed in this way because NTLMv2 is challenge/response which allows the authentication process to take place over the Internet. Conversely, Kerberos not being firewall friendly, and the client needing to be able to see the Kerberos Authentication Server to obtain a service ticket, cannot reach the domain controller over the Internet. Only when the infrastructure tunnel has been established can Kerberos be then used for service communication (in the Intranet tunnel).

    Regards,

    Mylo

    • Marked as answer by RossJG Wednesday, April 13, 2011 12:19 PM
    Wednesday, April 13, 2011 7:28 AM
  • As Mylo said really...you require access to a domain controller (KDC) in order to obtain a kerberos ticket. Consequently, the infrastucture tunnel needs to use NTLMv2 to gain access to the domain controller first - once you have infrastructure access you can then obtain a kerberos ticket for authentication to the intranet tunnel.

    "The infrastructure tunnel uses Computer certificate credentials for the first authentication, and User (NTLMv2) for the second authentication. User (NTLMv2) credentials are used to force the use of Authenticated Internet Protocol (AuthIP), and because the DirectAccess client needs Domain Name System (DNS) and domain controller access before it can use Kerberos credentials for the intranet tunnel."

    Source: http://technet.microsoft.com/en-us/library/gg502554.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk



    • Marked as answer by RossJG Wednesday, April 13, 2011 12:18 PM
    Wednesday, April 13, 2011 12:04 PM

All replies

  • Hi RossJG,

    My take on this is.. it was designed in this way because NTLMv2 is challenge/response which allows the authentication process to take place over the Internet. Conversely, Kerberos not being firewall friendly, and the client needing to be able to see the Kerberos Authentication Server to obtain a service ticket, cannot reach the domain controller over the Internet. Only when the infrastructure tunnel has been established can Kerberos be then used for service communication (in the Intranet tunnel).

    Regards,

    Mylo

    • Marked as answer by RossJG Wednesday, April 13, 2011 12:19 PM
    Wednesday, April 13, 2011 7:28 AM
  • As Mylo said really...you require access to a domain controller (KDC) in order to obtain a kerberos ticket. Consequently, the infrastucture tunnel needs to use NTLMv2 to gain access to the domain controller first - once you have infrastructure access you can then obtain a kerberos ticket for authentication to the intranet tunnel.

    "The infrastructure tunnel uses Computer certificate credentials for the first authentication, and User (NTLMv2) for the second authentication. User (NTLMv2) credentials are used to force the use of Authenticated Internet Protocol (AuthIP), and because the DirectAccess client needs Domain Name System (DNS) and domain controller access before it can use Kerberos credentials for the intranet tunnel."

    Source: http://technet.microsoft.com/en-us/library/gg502554.aspx

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk



    • Marked as answer by RossJG Wednesday, April 13, 2011 12:18 PM
    Wednesday, April 13, 2011 12:04 PM
  • Cool, thanks.  Just to clarify, when that technet write-up says "User (NTLMv2) credentials", that really means the NTLMv2 credentials of the computer account, right?  B/C the infrastructure tunnel is typically created pre-user logon (at startup), or so I thought?

    Wednesday, April 13, 2011 12:22 PM
  • Yeah, credentials means the computer account and password. However, I think a service account accessing a managementr server can also authenticate using its own account name and password.  
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Wednesday, April 13, 2011 12:53 PM