On Thu, Oct 16, 2008 at 9:16 PM, Lim, Melvin wrote:
> Hi
> I would like to double confirm where did the Kerberos fallback to NTLM
> taking place,
> 1. The fallback taking place while negotiation
> 2. The fallback taking place after the negotiation

Hi Melvin,

First, you should realize that you're asking about a largely Microsoft
Windows specific issue whereas this is a Kerberos-only mailing list
(albeit gracious to MS specific questions). Other than both being
authentication protocols, NTLM and Kerberos are not related.

Anyway, the answer to your question is option "0". Meaning a Windows
client will fall back to NTLM if it cannot perform Kerberos for any
reason. That evaluation occurs before any "negotiation" with the

Specifically, when a Windows client decides that it is to perform SSPI
style authentication, it tries to acquire a Kerberos ticket for the
desired service. There are a number of points where that acquisition
can fail. The client may not be joined to the domain, it may not have
adequate communication with the KDC, the service account may not be
setup correctly, etc. If any of these things fail, the client will
then try NTLM.


Michael B Allen
PHP Active Directory SPNEGO SSO