Windows authetical protocol
Pre 2000, uses NTLM
Post 2000 Kerberos.
For Window’s login, passes authentication to Windows Security Support Provider Interface (SSPI)
SSPI is going to first try and authenticate using Kerberos.This is the preferred protocol for Windows 2000 and above. In order to do this, there needs to be a Service Principal Name (SPN)
A Service Principal Name (SPN) provides the information to the client about the service. Basically, each SPN consists of 3 or 4 pieces of information:
The type of service (for SQL Server it is called MSSQLSvc)
The name of the server
The port (if this needs to be specified)
The service account running the service.
NTLM suffers from the following drawbacks:
It is susceptible to “replay” attacks.
It assumes the server is trustworthy.
It requires more authentication traffic than Kerberos.
It doesn’t provide for a means of going past that first hop.
Kerberos:
only within time limit ex.10 sec.
Checks SPN with AD
Only once to issue ticket. Tickets expire after 10hr
Can multiple hoops
Pre 2000, uses NTLM
Post 2000 Kerberos.
For Window’s login, passes authentication to Windows Security Support Provider Interface (SSPI)
SSPI is going to first try and authenticate using Kerberos.This is the preferred protocol for Windows 2000 and above. In order to do this, there needs to be a Service Principal Name (SPN)
A Service Principal Name (SPN) provides the information to the client about the service. Basically, each SPN consists of 3 or 4 pieces of information:
The type of service (for SQL Server it is called MSSQLSvc)
The name of the server
The port (if this needs to be specified)
The service account running the service.
NTLM suffers from the following drawbacks:
It is susceptible to “replay” attacks.
It assumes the server is trustworthy.
It requires more authentication traffic than Kerberos.
It doesn’t provide for a means of going past that first hop.
Kerberos:
only within time limit ex.10 sec.
Checks SPN with AD
Only once to issue ticket. Tickets expire after 10hr
Can multiple hoops
No comments:
Post a Comment