C#
An object-oriented and type-safe programming language that has its roots in the C family of languages and includes support for component-oriented programming.
8,243 questions
Way to specify Kerberos over NTLM in .NET for file access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 92%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Mark Sanchez
101
Reputation points
Per Microsoft recommendations, our IT director intends to disable NTLM on our domain. When he tried to do so recently, errors were logged and we determined that their source was from some of our custom .NET 4.6 apps. The common theme with these apps was they all use impersonation for certain operations. For example, we copy a file from a place the user does not have access to, then return the context back to the user’s account.
Our code uses the WindowsIdentity.Impersonate function of the System.Security.Principal namespace. It does not appear that this function, nor the “LogonUser” Win32 API function it uses, have a way of specifying the authentication method to use (NTLM vs. Kerberos).
Is there an alternative/better way to perform impersonation in .NET, which will either prioritize Kerberos over NTLM or allow us to specify to use Kerberos? Or perhaps is this something that must be handled outside our code?
Thanks
C#
{count} votes
-
Lex Li (Microsoft) 3,481 Reputation points2021-09-16T17:46:57.443+00:00 Remote file access via SMB v1 unfortunately only supports NTLM, https://learn.microsoft.com/en-us/windows/win32/fileio/microsoft-smb-protocol-authentication Check if you can enable SMB2 connections with Kerberos extension, https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-authsod/a85e4e1c-58c1-4753-b42f-903deb663430
Sign in to comment