NTLM authentication is not great. It’s not the fastest. In most cases, that honor would go to Kerberos. It’s not the most secure. Again, Kerberos. It’s not all that flexible. For example, it doesn’t work well for extranets or anything cross-firewall. In those scenarios, Trusted Provider auth (SAML / WS-Fed) works well. See: AD FS.
I find there is much confusion around this topic, so I’ll try to clear it up here. First off, non-imported profiles are well… not imported. They were not created by Profile Sync / AD Import / Sync with External Identity Manager. We also refer to these as “unmanaged”, or “stub” profiles because they typically only
Here’s an example of an error that often occurs during Active Directory Import (aka: ADI, AD Import): ScanDirSyncChanges: Batch-abort Exception in processing response for page ‘7’, exception ‘System.DirectoryServices.Protocols.DirectoryOperationException: An operation error occurred. Under what conditions might this occur? You have an Active Directory group that has over 5,000 members. You may see