Forcing Clients to use NTLM instead of Kerberos

[Guest]

Howdy

We are in the middle of an in-place upgrade from NT4 to Windows 2003 AD. We
are using the NT4Emulator key as a transitional step to prevent clients from
using Kerberos for a range of reasons. We are about to neutralize all
machines in our upgraded domain which will mean that all clients will begin
to use Kerberos once their secure channels are reset. We have chosen this
method over simply removing NT4Emulator as it gives us a better back-out
option (i.e. we can selectively back out machines from Keberos without having
rejoin the whole fleet to the domain).

My question is - once we remove the Emulator keys from the Domain
Controllers and all the clients are using Kerberos, is there any way we can
force the clients to use NTLM? The reason I ask is that we are concerned that
Kerberos may break some of our key applications and would like to ensure that
once the emulator is removed, we have an alternative to rejoining everything
to the domain.

Regards,
DB

 

[Guest]

Woops - I forgot to mention that the clients are all Windows XP SP1 which is
why I posted this here instead of to a server newsgroup. Apologies if I have
put this post in the wrong group but I figured it would be a client side
setting....

 

[Steven L Umbach]

Probably the best newsgroup would be the Active_directory one. Kerberos will
become the default authentication protocol once the clients are Kerberos
capable. One way to do what you need could be to use an ipsec filtering
policy on client or server or Windows Firewall on domain controllers to
prevent access from domain computers in question to port 88 UDP/TCP on the
domain controllers but you would want to make sure that domain controllers
can use Kerberos between each other. --- Steve

 

[Guest]

Thanks for your suggestion Steven. I will pencil that one in and repost in
the AD group. I was hoping for a nice little client side regkey....

---DB