Fri 2 Jun 2006
There’s still a lot of confusion out there about the differences between NTLM authentication and Kerberos authentication. For those venturing into the SharePoint 2007 world, this is really a topic that should no longer be ignored. First, let’s make sure we’re all on the same page regarding what NTLM and Kerberos are:
NTLM Authentication is the well-known and loved challenge-response authentication mechanism. For SharePoint developers, using NTLM means that you really have no special configuration issues. As Microsoft likes to say, “It just works.”
Kerberos, on the other hand, is a more complex ticket-based authentication mechanism that authenticates the client to the server and authenticates the server to the client. While Kerberos is more secure, it can be a bit challenging to set up properly.
SharePoint 2007 (and even 2003 with the latest SP) can be configured to use either NTLM or Kerberos. So which do you choose? Well, besides being more secure, Kerberos has two key advantages that make it worth consideration.
1. Performance - Kerberos caches information about the client after authentication. This means that it can perform better than NTLM particularly in large farm environments.
2. Delegation - Kerberos can delegate the client credentials from the SharePoint front-end web server to other back-end servers like SQL Server. As an example, consider a web part that access a SQL Server database and uses a connection string that relies on the end-user credentials (i. e., “Integrated Security=SSPI”). If the targeted SQL Server is not on the same physical server as SharePoint, the database log in will fail under NTLM authentication. This is the dreaded “double-hop” scenario that affects not only SharePoint, but ASP.NET applications as well. Under Kerberos, however, the log in will succeed.
All-in-all, Kerberos is a superior authentication mechanism and should be your first choice when deploying SharePoint 2007. Check out the following KB article for more info on how to set it up
http://support.microsoft.com/?kbid=832769
In my book, I’ll provide detailed setup instructions for utilizing Kerberos with SharePoint 2007
January 30th, 2007 at 12:43 am
This article must be helpful for my problem.
I am using Sharepoint 2007 Web Services/Project Server Web Services from ASP.NET and it will later use as webpart. As we know that the user name and password are needed to login sharepoint site and sharepoint web services. I am trying to pass credentials to call web services. I had used following code:
//Here: groupService is an object variable representing UserGroup.asmx Web Service.
groupService.Credentials = CredentialCache.DefaultNetworkCredentials;
These code generates error of unathorization(401). I know that this is a security issue. If I used
userGroup.Credentials = new System.Net.NetworkCredential(”UserName”, “Password”, “DomainName”);
It works fine. But this can’t use because user will not be static.
I have used Windows authentication (NTLM) for sharpoint server and haven’t cofigured any domain(Active Directory).
I know I have to delegate credentials to call sharepoint web services. For this what should be the network configuration and which windows authentication should be used?