disabling kerberos

Actually davidchr davespam at microsoft.com
Mon Sep 27 13:39:26 EDT 2004


If you disable Kerberos, you'll be left with NTLM as your method of
domain authentication, which is not a great place to be (NTLM is not as
secure as Kerberos, as performant, or as easily-deployed).  To put it
mildly, I would not recommend this.

To answer your question, though, if you stop the KDC on all domain
controllers, no new kerberos tickets will be granted.  Existing tickets
will continue to function until they expire.  Note that some services
assume the presence of kerberos and may behave strangely.

Can you elaborate on what you aim to accomplish by disabling Kerberos?
This is a fairly extreme step to take.

---
This message is provided "AS IS" with no warranties, and confers no
rights.
This message may originate from an unmonitored alias ("davespam") for
spam-reduction purposes.  Use "davidchr" for individual replies.
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer.
This message originates in the State of Washington (USA), where
unsolicited commercial email is legally actionable (see
http://www.wa-state-resident.com).
Harvesting of this address for purposes of bulk email (including "spam")
is prohibited unless by my expressed prior request.  I retaliate
viciously against spammers and spam sites.
 

> -----Original Message-----
> From: kerberos-bounces at mit.edu 
> [mailto:kerberos-bounces at mit.edu] On Behalf Of Medha Kulkarni
> Sent: Monday, September 27, 2004 5:08 AM
> To: kerberos at mit.edu
> Subject: disabling kerberos
> 
> Hi,
> 
> Can anybody tell me, how to disable kerberos authentication 
> on windows domain controller machines.
> 
> All the documents on microsoft site say that kerberos is the 
> default authentication method on domain controller based 
> machines.But there is no documentation available telling how 
> to disable this authentication.
> 
> Is there any setting available on domain controller to disable it??
> 
> If the KDC service on domain controller is stopped, then does 
> that mean kerberos is disabled?
> 
> 
> Thanks in advance.
> Medha.
>   
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



More information about the Kerberos mailing list