Hello customer,
Based on my knowledge, I recommend you reference the following information:
1. Kerberos is the default protocol for Windows 2000 and Windows 2003
whether or not the domain is in mixed or native mode. Thus Kerberos is the
default authentication if you choose 'Kerberos/NTLM Password
Authentication' in Outlook 2003 in a Windows 2003 domain environment.
For more information, please refer to the following article.
Whitepaper on Kerberos in Windows 2000 (Should also apply to Windows 2003)
http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerberos.a
sp
2. Yes, it means 'NTLM v2.0'.
3. As I know, Outlook 2000 is the standard client for Exchange 5.5 and
Kerberos is not supported in that environment. So we may not choose
Kerberos as the authentication mode in Outlook 2000.
I also copy some information out from the articles for your reference.
However, the websites have in-depth charts that you may want to review.
Kerberos is the default protocol for Windows 2000 and Windows 2003 whether
or not the domain is in mixed or native mode.
Computers with Windows 3.11, Windows 95, Windows 98, or Windows NT 4.0 will
use the NTLM protocol for network authentication in Windows 2000 domains.
Computers running Windows 2000 will use NTLM when authenticating to servers
with Windows NT 4.0 and when accessing resources in Windows NT 4.0 domains.
But the protocol of choice in Windows 2000, when there is a choice, it is
Kerberos version 5.
By default, the Windows 2000-based client first tries to use Kerberos
authentication in a Windows 2000 domain if all other computers that are
involved in the logon are also running Windows 2000. For example, a domain
user on a Windows 2000-based client computer will try to use Kerberos
authentication when the user authenticates to a Windows 2000-based domain
controller that is part of the same forest. However, if Kerberos
authentication fails, NTLM is used to authenticate the domain user account.
The default authentication package for Windows Server 2003. The Kerberos V5
protocol became the default authentication package with Windows 2000.
Windows Server 2003 still supports NTLM for non-Kerberos clients such as
the Windows NT Server 4.0 operating system.
Defaulting to Kerberos
NT LAN Manager is the authentication protocol used in Windows NT and in
Windows 2000 work group environments. It is also employed in mixed Windows
2000 Active Directory domain environments that must authenticate Windows NT
systems. At the stage Windows 2000 is converted to native mode where no
down-level Windows NT domain controllers exist, NT LAN Manager is disabled.
Kerberos then becomes the
default authentication technology for the enterprise.
Operating System
Kerberos authentication relies on client functionality that is built in to
the Windows Server 2003 operating system, the Microsoft Windows XP
operating system, and the Windows 2000 operating system. If a client,
domain controller, or target server is running an earlier operating system,
it cannot natively use Kerberos authentication.
Local Logon Example
Users can log on to computers with either a domain account or an account
local to the computer. When the user logs on with an account local to the
computer, the user's credentials are authenticated using the local account
database. Because the local computer does not act as a KDC, and because
local logon does not require network access (for example, to contact a
KDC), local authentication uses NTLM to authenticate the account.
How the Kerberos Version 5 Authentication Protocol Works
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techre
f/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techre
f/en-us/w2k3tr_kerb_how.asp
Kerberos Explained:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/securi
ty/kerberos.mspx
White paper discussing Win2K security
http://www.microsoft.com/WINDOWS2000/library/howitworks/security/sectech.asp
Intro to Kerberos
http://www.microsoft.com/technet/404/default.aspx?404;http://www.microsoft.c
om/TechNet/win2000/win2ksrv/technote/kerberos.asp
Details on aspects of Win2K and their implementation
http://www.microsoft.com/WINDOWS2000/library/howitworks/security/distsecserv
icces.asp
Kerberos Policies
http://support.microsoft.com/support/kb/articles/Q231/8/49.ASP
Kerberos Administration
http://support.microsoft.com/support/kb/articles/Q232/1/79.ASP
Answers to frequently asked Kerberos questions
http://support.microsoft.com/kb/q266080/
In the meantime, please understand that we focus on providing assistance to
resolve specific break/fix issues. We are happy to provide general
information in regard to this query, and would recommend Microsoft Advisory
Services, a remotely-delivered, consultative support option that adds the
element of proactive support, providing a comprehensive result beyond your
break-fix product maintenance needs. More information on this service
here:
http://support.microsoft.com/gp/advisoryservice
Thank you for your understanding and cooperation.
Regards,
Ada Pan
Microsoft Online Partner Support
Get Secure! -
www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
