Only Windows 2000 clients and UNIX clients can use Kerberos authentication in a Windows 2000 domain. To provide access to Windows NT 4.0 clients and Windows 95 and Windows 98 clients running the Directory Service client, Windows 2000 continues to support the use of the Windows NT LAN Manager (NTLM) authentication protocol.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
In addition to providing NTLM authentication for down-level clients, NTLM is also used to authenticate logons to Windows 2000 computers that aren't participating in a domain or when authentication against the local account database of a member server or Windows 2000 Professional computer takes place.
In the last few years, security weaknesses were found with the NTLM protocol. Password crackers were developed that were able to decrypt NTLM-protected authentication. To counteract this, NTLM version 2 was developed for Windows NT 4.0 Service Pack 4. NTLMv2 introduces additional security features, including
Figure 3.10 shows how NTLMv2 authentication takes place.
Figure 3.10 NTLM authentication
In this environment the client is connecting to a server. Active Directory uses the MSV1_0 sub-authentication filter to perform the authentication.
Because Kerberos authentication is available only to Windows 2000 client computers, your network design must ensure that the next strongest form of authentication is available to non-Windows 2000 client computers and Windows 2000 client computers.
Clients use NTLMv2 authentication in the circumstances shown in Table 3.4.
Table 3.4 Determining when NTLMv2 Authentication is Used
|Client||Use NTLMv2 when|
|Windows 2000||Authenticating to the local SAM database of a stand-alone Windows 2000–based computer |
Authenticating with a Windows NT 4.0 computer with SP4 or higher installed
|Windows NT 4.0||Authenticating with Windows 2000 and Windows NT 4.0 servers and the client has Service Pack 4 or higher applied |
Authenticating with Windows 2000 and Windows NT 4.0 servers and the client has the Directory Services Client installed
|Windows 95/Windows 98||Authenticating with Windows 2000 and Windows NT 4.0 servers and the client has the Directory Services Client installed|
The Market Florist network has a combination of Windows NT 4.0 Workstation and Windows 95 clients that are unable to use Kerberos when authenticating with the network.
Based on the scenario, Market Florist must include the deployment of the Directory Services Client only to the Windows 95 clients to ensure that all non–Windows 2000 clients on the network use NTLMv2 authentication. The Windows NT 4.0 Workstation clients won't require the Directory Service Client software to enable NTLMv2 authentication because the clients had the latest service pack applied for Year 2000 compliance. This doesn't mean that there isn't a business case to distribute the Directory Service Client software to Windows NT 4.0 workstations. It only means that the Windows NT 4.0 clients don't require the Directory Service Client software to ensure that NTLMv2 is used for authentication.
NTLM authentication is still used in a Windows 2000 network. Be sure that you know when NTLM authentication is used and plan the deployment of the Directory Services Client software to ensure that Windows 95, Windows 98, and Windows NT 4.0 clients can use the added security of NTLMv2 authentication. When Kerberos can't be used, NTLMv2 provides strong authentication security.