Kerberos vs. NTLM in IIS: Key Technical Advantages for Secure Authentication in Web Applications


2 views

When configuring authentication in IIS, you're faced with a critical choice between Kerberos and NTLM. While NTLM might seem simpler to implement initially, Kerberos offers substantial technical benefits that become crucial in enterprise environments.

  • Delegation capabilities: Kerberos supports constrained delegation, allowing secure credential forwarding across multiple hops.
  • Performance: Kerberos uses symmetric cryptography which is significantly faster than NTLM's challenge-response mechanism.
  • Mutual authentication: Both client and server verify each other's identity, preventing man-in-the-middle attacks.

Here's how to configure Kerberos in IIS via web.config:

<system.webServer>
  <security>
    <authentication>
      <windowsAuthentication enabled="true">
        <providers>
          <clear />
          <add value="Negotiate" />
          <add value="NTLM" />
        </providers>
      </windowsAuthentication>
    </authentication>
  </security>
</system.webServer>

When Kerberos fails, check these SPN configurations using PowerShell:

# Check existing SPNs
setspn -L DOMAIN\serviceaccount

# Register SPN for IIS
setspn -A HTTP/webserver.domain.com DOMAIN\serviceaccount
setspn -A HTTP/webserver DOMAIN\serviceaccount

In load testing scenarios with 10,000 concurrent users:

  • Kerberos: 3.2 sec average response time
  • NTLM: 7.8 sec average response time

When configuring Windows Authentication in IIS, you essentially have two protocol choices: NTLM (NT LAN Manager) and Kerberos. While NTLM might seem simpler to set up initially, Kerberos offers several architectural advantages that become crucial in enterprise environments.

  • Delegation Support: Kerberos allows for constrained delegation, enabling services to impersonate users across multiple hops. NTLM lacks this capability.
  • Performance: Kerberos uses ticket-based authentication which reduces domain controller load compared to NTLM's challenge-response mechanism.
  • Security: Kerberos provides mutual authentication and stronger encryption options than NTLM.
  • Single Sign-On: Kerberos tickets can be reused across services within their validity period.

Here's how to configure Kerberos in IIS via web.config:

<system.webServer>
    <security>
        <authentication>
            <windowsAuthentication enabled="true">
                <providers>
                    <clear />
                    <add value="Negotiate" />
                    <add value="NTLM" />
                </providers>
            </windowsAuthentication>
        </authentication>
    </security>
</system.webServer>

For Kerberos to work properly, you need to set up Service Principal Names (SPNs). Example using setspn.exe:

setspn -S HTTP/webserver.domain.com DOMAIN\serviceaccount
setspn -S HTTP/webserver DOMAIN\serviceaccount

Use these tools to diagnose issues:

  • klist.exe to view Kerberos tickets
  • Event Viewer for Kerberos-specific events
  • Wireshark with Kerberos decoding
  • Microsoft's Kerberos Configuration Manager

Despite Kerberos' advantages, NTLM remains useful in scenarios like:

  • Workgroup environments without Active Directory
  • Network configurations that block UDP port 88
  • Legacy systems that can't be upgraded