Hey everyone! I've heard that Microsoft is going to disable NTLM by default in future OS versions. I'm looking for ways to authenticate using Kerberos for Windows clients that aren't connected to a domain. Is that even possible?
4 Answers
You can actually use Kerberos authentication with domain user accounts, even if your computer isn't joined to the domain. Just make sure you're accessing the share using its fully qualified domain name (FQDN) and log in with the user's User Principal Name (UPN). Just a heads up, your computer will need to maintain connectivity to a domain controller for this to work.
For clients that are Entra joined, there's an option for configuring Cloud Kerberos Trust, which enables SMB authentication. You can find more details on the Microsoft documentation site.
Yes, you can look into using Entra ID for devices that are Entra joined. However, if you're hybrid joined, you might need a VPN or direct line of sight to authenticate. We use this setup for connecting to Azure file shares.
Kerberos requires either a domain or at least a Key Distribution Center (KDC), so in a conventional setup, it might not work without that. You might want to reconsider your authentication architecture instead of just trying to replace NTLM.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures