Quoting Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx>: > tis 2009-09-08 klockan 17:54 +0200 skrev apmailist@xxxxxxx: > > > Still, is it possible to present specific autentication schemes depending > on the > > useragent ? > > Not yet. > > > Maybe I didn't explain clearly : it's not the migration process in itself > that > > worries us. It's the everyday use of the future AD authentication : > Accounts > > getting locked too often. > > As anybody had such accounts locking problems ? If so, Could they share > with us > > how they prevented these lockouts from happening ? > > >From what I remember AD allows for bad NTLM logins with an old password > for quite some time without locking the account, to avoid the issue with > shares/applications continuing using the old password after the user > have changed his password. > > But if using Negotiate (kerberos) then this pretty much should be a > non-issue as Kerberos is ticket based and not directly derived from the > password, or at least that's my understanding. > I too was thinking of implementing kerberos, with the assumption (still to be verified) that those annoying pieces of software going to internet without the user's full knowledge ( a***e updater for instance ) would not implement this scheme. Will keep you posted, Thanks
