The Negotiate security package allows a backwards-compatible compromise that uses Kerberos whenever possible and only reverts to NTLM when there is no other option.
Switching code to use Negotiate instead of NTLM will significantly increase the security for our customers while introducing few or no application compatibilities.
There are some serious drawbacks to this approach however: The process calling Logon User requires the SE_TCB_NAME privilege. I`ve been looking for something like this for ages... Here's a chapter from the Application Verifier documentation about why they have a test if someone is mistakenly using NTLM: NTLM is an outdated authentication protocol with flaws that potentially compromise the security of applications and the operating system.
The latter two cases will force Negotiate to fall back to NTLM either directly (the first case) or indirectly (the domain controller will return a “principal not found” error in the second case causing Negotiate to fall back).
The plug-in also logs warnings when it detects downgrades to NTLM; for example, when an SPN is not found by the Domain Controller.
In addition you may also be required to verify your domain by pasting a validation code into your website coding.
The WHOIS database is an online directory that will provide information on the registrar of domain names.
This needlessly reduces the security of applications.