HP CIFS Windows 2000 Interoperability (October 2002)
CIFS/9000 and Windows 2000 Interoperability
Hewlett-Packard
17
• Requires complex manual trust management for multi-domains like master-
resource
NTLM has a version 2 that includes a better encryption mechanism. NTLM v2 was
delivered for NT4.0 in Service Pack 4. However, NTLM v2 requires editing of the client
registry to enable, and it has not been widely adopted.
4.2 Windows 2000 and Kerberos
The Windows 2000 default authentication protocol (from Windows 2000 Pro clients only) is
Kerberos. Microsoft clearly promotes Kerberos as a significant advantage of Windows 2000,
and a primary motivation to migrate from earlier Windows platforms. Advantages of
Kerberos authentication are:
• “Industry Standard”: Kerberos is not a new protocol. It originated at MIT in the late
1980s, and is regulated by the IETF RFC 1510. Microsoft adopted Kerberos and
modified it to fit into the Windows 2000 ADS and domain structure. Consequently, it
is now “Based upon an Industry Standard”, with a proprietary data structure that
affects interoperability with other vendors (to be examined in more detail later).
• Re-Use Credentials: NTLM requires that a server authenticate a user upon
connection and issue a set of credentials. When the user disconnects, so do the
credentials. With Kerberos, a user is issued a set of credentials with an expiration
interval. If the client reconnects before the expiration, then the original credentials
are still valid and the server does not have to authenticate the client again. This can
speed the connection process when accessing varied resources in a domain.
• Client AND Server are Authenticated: With NTLM the client is requesting domain
authentication, and the server must validate that the client is a legitimate member of
the domain. With Kerberos, the same process occurs, except that the Kerberos key
mechanism also provides the client with validation that the server is a leg itimate
member of the domain. This holds true for any 2 entities in the domain.
• Authentication Proxy: Windows applications often impersonate clients when
accessing resources within a domain. NTLM does not provide an authentication
mechanism for imperson ating a client. Kerberos has an authentication proxy that
allows an application (or “service”) to impersonate a client for authentication.
• Transitive Trusts: Although Transitive Trusts sound like an ADS feature, they exist
as a result of the Kerberos dual authentication ability. Since separate entities within
the Windows 2000 domain (or forest) are validated by the dual authentication
mechanism in Kerberos, there is no need to explicitly configure one-way or two-way
trusts.
• Encryption: The Kerberos encryption method is much more secure than NTLM
encryption.
4.3 CIFS/9000 Server and Windows 2000 Kerberos
The CIFS/9000 Server can co-exist in a Windows 2000 domain (Native or Mixed) where
Windows 2000 Pro clients are authenticating into the domain using Kerber os. Even when
the client is authenticated with Kerberos, the CIFS/9000 Server will negotiate the NTLM v1
protocol with the client that is mapping a share, and then pass-through the authentication
request to the Windows 2000 domain controller, also negotiating NTLM v1 to the DC.
The following diagrams and traces illustrate the authentication protocol used by the
CIFS/9000 server in the following domain structures:
• NT4.0 client in an NT4.0 domain
• Windows 2000 client in a Mixed Mode Windows 2000 domain