Quoting Henrik Nordstrom <henrik_at_henriknordstrom.net>:
> tis 2009-09-08 klockan 17:54 +0200 skrev apmailist_at_free.fr:
>
> > Still, is it possible to present specific autentication schemes depending
> on the
> > useragent ?
>
> Not yet.
>
> > Maybe I didn't explain clearly : it's not the migration process in itself
> that
> > worries us. It's the everyday use of the future AD authentication :
> Accounts
> > getting locked too often.
> > As anybody had such accounts locking problems ? If so, Could they share
> with us
> > how they prevented these lockouts from happening ?
>
> >From what I remember AD allows for bad NTLM logins with an old password
> for quite some time without locking the account, to avoid the issue with
> shares/applications continuing using the old password after the user
> have changed his password.
>
> But if using Negotiate (kerberos) then this pretty much should be a
> non-issue as Kerberos is ticket based and not directly derived from the
> password, or at least that's my understanding.
>
I too was thinking of implementing kerberos, with the assumption (still to be
verified) that those annoying pieces of software going to internet without the
user's full knowledge ( a***e updater for instance ) would not implement this
scheme.
Will keep you posted,
Thanks
Received on Wed Sep 09 2009 - 14:41:21 MDT
This archive was generated by hypermail 2.2.0 : Wed Sep 09 2009 - 12:00:02 MDT