deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 19:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

clarified SSO is blocked

Browse Source
This commit is contained in:
Justin Hall
2018-04-10 17:31:52 -07:00
parent 870e16f9c2
commit 7c1a333041
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/identity-protection/credential-guard/credential-guard-considerations.md
View File

@ -24,7 +24,7 @@ Passwords are still weak. We recommend that in addition to deploying Windows Def
Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported. Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported.
## Wi-fi and VPN Considerations ## Wi-fi and VPN Considerations
When you enable Windows Defender Credential Guard, you can no longer use NTLM classic deployment model authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You will be forced to enter your credentials to use these protocols and cannot save the credentials for future use. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.
## Kerberos Considerations ## Kerberos Considerations