locked
Can client push be configured to use Kerberos? RRS feed

  • Question

  • After a long period of auditing, migrating NTLM apps to Kerberos, and finally blocking all NTLM authentication at the domain-level using group policy, I've come to discover that when I used client push intending to remediate a few clients that had failed their check - that client push is using NTLM authentication, and fails. Is there a way I can configure client push to use Kerberos authentication instead? I'm using a dedicated domain account as the client push account, and it is added to local admins group on target client pc's via group policy.

    born to learn!

    Saturday, June 6, 2015 7:33 PM

All replies

  • I am not aware of any way to change that.  This is a good example for why using a startup script might be preferred.  Jason wrote one and made it available here: http://blog.configmgrftw.com/configmgr-client-startup-script/

    Jeff

    Sunday, June 7, 2015 5:13 PM
  • Side question? Why block NTLM?

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Sunday, June 7, 2015 9:07 PM
  • tl;dr = attack surface reduction.

    I ended up blocking it because the audit phase showed that very little was legitimately using it. The legit use cases I couldn't do a better way (Kerberos) have been limited to specific servers that were easily added to the exception list for NTLM in group policy. This change has also smoked out a lot terrible historic user-forced things that only touched the network after my audit phase ended. It has been my experience that bad/insecure/outdated software design and only being able to use NTLM go hand-in-hand.

    My impression isn't that NTLMv2 isn't "bad", but that it is not as good as Kerberos...I would by no means claim to be a security expert with enough knowledge to selectively allow a protocol - that our environment doesn't really seem to need outside a few specific servers - just to make some corner cases possible when those corner cases have good alternatives like the fantastic startup script you created.


    born to learn!

    Tuesday, June 9, 2015 3:00 PM