Jump to content

Replace NTLM authentication with Kerberos

Rohan Power

Recommended Posts

Hi ClickStudios,


Due to the insecurities of NTLM, we are considering removing the NTLM authentication method from our PS IIS site.  We currently are directed to the PasswordState logon page, but are in the process of configuring it for SSO.


Do you have a recommendation when it comes to using NTLM  vs. kerberos as the default Windows Authentication method on the PasswordState IIS site?  And would you recommend setting up a dedicated service account and configure the PasswordState app-pools to run as this account?


Kind regards.

Link to comment
Share on other sites

Hi Rohan,


I've just done some testing on this, by adding 'Negotiate:Kerberos' as the preferred authentication provider for the 'Windows Authentication' in IIS, and it appears to be working fine - although you do need to first disable 'Enable Kernel-mode authentication'. So there should be no issues if you'd prefer to use Kerberos.

We do have some instructions for configuring the IIS Application Pools using an MSA account, and you can find this in our installation manual if this is something you would like to explore also - https://www.clickstudios.com.au/downloads/version8/Installation_Instructions.pdf


Click Studios

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...