Kerberos Authentication

Tenable Identity Exposure authenticates to the configured Domain Controller(s) using the credentials you provided. These DCs accept either NTLM or Kerberos authentication. NTLM is a legacy protocol with documented security issues, and Microsoft and all cybersecurity standards now discourage its use. Kerberos, on the other hand, is a more robust protocol that you should consider. Windows always attempts Kerberos first and resorts only to NTLM if Kerberos is not available.

Tenable Identity Exposure is compatible with both NTLM and Kerberos with a few exceptions. Tenable Identity Exposure prioritizes Kerberos as the preferred protocol when it fulfills all the required conditions. This section describes the requirements and shows you how to configure Tenable Identity Exposure to ensure the use of Kerberos.

The use of NTLM instead of Kerberos is also the reason why SYSVOL hardening interferes with Tenable Identity Exposure. For more information, see SYSVOL Hardening Interference with Tenable Identity Exposure.

Compatibility with Tenable Identity Exposure Deployment Modes

Deployment Mode Kerberos Support
On-Premises Yes
SaaS-TLS (legacy) Yes
SaaS with Secure Relay for Tenable Identity Exposure 3.42 Yes
SaaS with VPN No — You must switch your installation to the Secure Relay for Tenable Identity Exposure 3.42 deployment mode.