
Abusing Exchange: One API call away from Domain Admin - jve
https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
======
cheschire
Is there some fundamental flaw I don't know about in kerberos that keeps
people going back to NTLM in this decade?

~~~
jve
Probably one side of equation is that NTLM just works. For kerberos, you
mostly have additional effort to manually add SPN. Moreover for load balanced
Exchange, you must deal with alternate service account:
[https://docs.microsoft.com/en-
us/exchange/architecture/clien...](https://docs.microsoft.com/en-
us/exchange/architecture/client-access/kerberos-auth-for-load-balanced-client-
access?view=exchserver-2019)

~~~
jve
Moreover (didn't have time to read yet) seems that there is just today public
disclosure which highlights some issues with Kerberos:
[https://shenaniganslabs.io/2019/01/28/Wagging-the-
Dog.html](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html)

Don't get me wrong - thats not a case where someone should choose NTLM over
more secure Kerberos. Just that we should note Kerberos should be configured
appropriately.

------
dang
Url changed from
[https://www.theregister.co.uk/2019/01/25/microsoft_exchange_...](https://www.theregister.co.uk/2019/01/25/microsoft_exchange_domain_admin_eop),
which points to this.

