Kerberos

Kerberos is a single sign-on (SSO) network authentication protocol designed to allow nodes, communicating over a non-secure network, to prove their identity to one another in a secure manner.

Ntlm

NTLM (NT LAN Manager) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users.



Better chatty ways

Example

"Kerberos could be considered as a better option than ntlm"

from question  

Windows integrated (NTLM) authentication vs Windows integrated (Kerberos)

"Kerberos is better when it comes to performance;mainly because it is a lot less chatty than ntlm"

from question  

Performance difference Kerberos versus NTLM

"I understand that kerberos has better performance than ntlm"

from question  

Performance difference Kerberos versus NTLM

"In fact in some ways ntlm is better than kerberos"

from question  

Authenticating against Active Directory with Java on Linux

Secure delegation domain

Example

"But as i understand it ntlm disallows the more secure kerberos domain credentials if they re available"

from question  

Windows Authentication not prompting on Firefox or iOS Safari

"But since ntlm is less secure than kerberos why isn t it the other way around"

from question  

Why is kerberos defaulting to NTLM in WCF?

"Ntlm is less secure and negotiate lets the client and server use kerberos if both of the client and server support it - if not both of them fallback to ntlm"

from question  

Is using Default​Network​Credentials a security hole?

"Kerberos is however more secure and can handle delegation where the web server can access other resources a file server using the client s identity"

from question  

Windows integrated (NTLM) authentication vs Windows integrated (Kerberos)

Others

Example

Yes negotiate will pick between kerberos and ntlm but this is a one time choice

from question  

If Kerberos Authentication fails,will it always fall back to NTLM?

However kerberos is much more widely supported;as for how you can use ntlm kerberos with http in the framework you are using

from question  

How can I connect to a WCF SOAP web service that uses Windows authentication in pure xml?

In a way negotiate is like kerberos but with a default backup of ntlm currently the negotiate security package selects between kerberos and ntlm

from question  

What is NTLM/Authenticate/Negotiate web authentication

When you use kerberos and enable delegation which the domain admin needs to do you can have the original integrated auth credentials flow over the linked server link to the next connection;ntlm does not do this

from question  

Weird setting when linking to Postgresql using Windows authentication or SQL authentication

For a low traffic site the huge tokens that kerberos send across the network actually makes it slower than ntlm

from question  

Access a SharePoint website from a Java application with Kerberos authentication

Kerberos is complex to set up and even though it generally is considered faster than ntlm this is only true when you reach a certain limit of simultanious users on your site

from question  

Access a SharePoint website from a Java application with Kerberos authentication

Back to Home
Data comes from Stack Exchange with CC-BY-SA-4.0