Skip to main content

Hi All

Does Apps 10 (UPD 15) running with Oracle DB Authentication use NTLM?

We do NOT have Active Directory Integration configured, all users are using Oracle DB authentication but we need to understand if the IFS Client needs to authenticate with the NTLM protocol (whether that be v1 or v2).

When looking at logs over the previous 30 days, it appears that both versions are in use between staff laptops and the middleware server and between the middleware server and the Database server.

This might be because the protocols are ‘available’. Whereas if we enforce Kerberos instead (more modern / far more secure), the connections may just use this instead, but we need to get confirmation before we start turning anything off.
 

Thanks in advance

Chris

Hello,

It does not mean that IFS Client or Db Authentication use NTLM. At the end of the day data flow in the network.

NTLM (NT LAN Manager) and Kerberos serve different purposes and are used in different scenarios, though both are authentication protocols in Windows environments. Here's why NTLM is still used alongside or instead of Kerberos:

Historical and Legacy Reasons:NTLM predates Kerberos in Windows environments. It was the primary authentication method in earlier Windows versions (NT 4.0 and earlier), so many legacy systems and applications were built around it. Organizations often maintain NTLM support for backward compatibility.

Network Architecture Differences:NTLM works in workgroup environments where there's no centralized domain controller, while Kerberos requires a Key Distribution Center (KDC) - typically a domain controller. In peer-to-peer networks or isolated systems, NTLM can function without this centralized infrastructure.

Firewall and Network Constraints:Kerberos uses multiple ports (88 for authentication, plus dynamic ports for ticket requests) and requires bidirectional communication with domain controllers. NTLM can work through more restrictive firewall configurations and NAT environments where Kerberos might struggle.

Cross-Domain and Trust Scenarios:In complex multi-domain environments or when dealing with systems that don't have proper trust relationships established, NTLM can sometimes work as a fallback when Kerberos authentication fails.

Application-Specific Requirements:Some applications, particularly older ones, were designed specifically for NTLM authentication and may not support Kerberos. Web applications using IIS integrated authentication sometimes default to NTLM.

Local Authentication:For local machine authentication (logging into a standalone computer), NTLM variants are used since Kerberos requires network-based authentication.

However, it's worth noting that Kerberos is generally preferred in modern domain environments due to its superior security features, including mutual authentication, better encryption, and resistance to certain attacks that NTLM is vulnerable to.

 

Best regards,

Ranil

Hi Ranil

Thanks for your response.

I am still a little unclear whether IFS is using NTLM. Ultimately I am trying to estbalish whether if disabling NTLM on the domain controllers would cause us any issues anywhere in IFS, either for users using EE client / Aurena or on any of the IFS servers?

Regards

Chris

HI,

Oracle old versions used NTML. May I know what is the oracle version.

Best regards,

Ranil

Hi Ranil

Thanks for coming back, it’s Oracle 19c

Regards

Chris

Reply


Terms & ConditionsCookie settings