I'm looking to set up a Kerberos trust between MIT Kerberos5 and Active Directory. However, it's noted in my old Kerberos book from 2003 that "there are several applications, notably Microsoft Exchange (2000 and below), that still use the older NTLM-style authentication."
Fortunately, we don't use MS Exchange, but there's concern that we may miss an important use case that Kerberos doesn't support. I know other organizations in our industry have done a similar setup, and I know they have found workarounds for this, but I haven't found a good list of apps that gave them problems. Can the ServerFault community help me out here? Even anecdotal evidence is appreciated.
EDIT 1: APIs to Active Directory require password changes to be delivered in plaintext rather than hashes. We'd like to remove that requirement from our authentication infrastructure by standing up an MIT realm for user authentication. There are some use cases that might make helpdesk's life easier, but it would be difficult to get other people in IT to agree to a change if it breaks any applications.
I'm not sure what book that is, but Outlook/Exchange can use Kerberos. It is possible to have it use NTLM, perhaps they meant that.
Also note that Windows Server 2003 IIS can use Kerberos, but if unsuccessful, it will attempt NTLM. There really isn't anything that can be done to prevent this except using a custom HTTP module, and it can be frustratingly non-apparent which authentication mechanism is in use.
I believe Windows 2008 R2 IIS introduced a new protocol, Nego2, which enables finer granularity of control over authentication mechanisms (Kerberos and no NTLM).
http://blogs.iis.net/mailant/archive/2009/01/11/iis7-in-windows-server-2008-r2.aspx
Everything Microsoft does (IIS, SMB2, Exchange, etc.) supports Kerberos nowadays. And in case you're not in a domain, there's fallthrough to something else. What non-Microsoft services are you currently running on the Windows side that you're worried about?
If you had a list of every two-bit app with ten users, it's more than likely most would support little more than hard-coded passwords. And larger apps generally work with the OS for authentication; in that case Kerberos should be supported.
Do you have a more specific use-case?