Reset Search
 

 

Article

KB14021 - Best practice recommendation: Active Directory/Windows NT authentication server: Which authentication protocol (Kerberos, NTLMv2 and NTLMv1) should be enabled to avoid account lock-out issues?

« Go Back

Information

 
Last Modified Date1/13/2016 5:01 PM
Synopsis
User accounts may lock out after fewer wrong attempts than the limit configured on the backend Active Directory server.
Problem or Goal
The PCS Active Directory/Windows NT authentication server instance can be configured to use Kerberos, NTLMv2 and NTLMv1 protocols.  If all three protocols are enabled then each protocol will be tried in a fail-over/cascade algorithm.  Based on the error message sent by the Active Directory server, the PCS will detect an invalid credentials login attempt and will not try the next enabled authentication protocol. However in some scenario’s it is not possible to distinguish an invalid credentials login attempt from an attempt that failed due to a protocol communication/environmental issue. This may cause user account lock out in fewer wrong attempts than the limit configured on the backend Active Directory server because the PCS will try the wrong credentials using different protocols.
Cause
Solution
Account lockout issues due to the above mentioned reason can be avoided using any of the following options:
 
  • On the authentication server instance, only enable specific authentication protocols that are required/used in your environment.
    Example: Select only Kerberos and NTLMv2. This setting will use Kerberos (the most secure option) in most cases and will fallback to NTLMv2 when Kerberos fails. Alternatively you may also enable only Kerberos if your organization’s security guidelines do not encourage the use of NTLM wherever possible.
  • Increase the account lock-out threshold configured on the backend Active Directory server.

In addition we strongly recommend that you do not enable all three authentication protocol options. If you are unsure, its best to keep NTLMv1 disabled, as the Kerberos and NTLMv2 combination should work in most deployments.
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255