Wednesday

SharePoint NTLM versus Kerberos (Authentication Providers)

NTLM: Authentication is the well-known and loved challenge-response authentication mechanism. For SharePoint developers, using NTLM means that you really have no special configuration issues. As Microsoft likes to say, “It just works.”


Kerberos: It's complex ticket-based authentication mechanism that authenticates the client to the server and authenticates the server to the client. While Kerberos is more secure, it can be a bit challenging to set up properly.
SharePoint 2007 (and even 2003 with the latest SP) can be configured to use either NTLM or Kerberos. So which do you choose? Well, besides being more secure, Kerberos has two key advantages that make it worth consideration.

1. Performance - Kerberos caches information about the client after authentication. This means that it can perform better than NTLM particularly in large farm environments.

2. Delegation - Kerberos can delegate the client credentials from the SharePoint front-end web server to other back-end servers like SQL Server. As an example, consider a web part that access a SQL Server database and uses a connection string that relies on the end-user credentials (i. e., “Integrated Security=SSPI”). If the targeted SQL Server is not on the same physical server as SharePoint, the database log in will fail under NTLM authentication. This is the dreaded “double-hop” scenario that affects not only SharePoint, but ASP.NET applications as well. Under Kerberos, however, the log in will succeed.

All-in-all, Kerberos is a superior authentication mechanism and should be your first choice when deploying SharePoint 2007.