Check Primary Authentication Protocol for Active Directory (NTLM or Kerberos?)

active-directory authentication kerberos ntlm
38,466

Solution 1

Greg's answer is alright, but your question specifically states that you want to check this from the client, not from the domain controller. So I'll take a crack at it.

First way, enable Kerberos logging on your client:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    LogLevel DWORD 0x1

Once Kerberos logging is enabled, then, log into stuff and watch the event log. If you're using Kerberos, then you'll see the activity in the event log. If you are passing your credentials and you don't see any Kerberos activity in the event log, then you're using NTLM.

Second way, you can use the klist.exe utility to see your current Kerberos tickets. This will definitely help you if you are authenticating to a service for the first time, because you will be getting a new ticket... but for subsequent authentications to the same service, you can reuse the same ticket, and so klist.exe may be of limited use to you.

Third way, watch the authentication happen with Wireshark.

Solution 2

One way would be to check the domain controller Security event log for Event ID 4624 (logon) events, where the AuthenticationPackageName is NTLM or Kerberos. You should also verify that your Domain Controllers have auditing enabled, and are capturing the required auditing events.

You can create custom Event Viewer filters to make this easier, and filter on other fields like the username or workstation name:

<QueryList>  
  <Query Id="0" Path="Security">
    <Select Path="Security">*[EventData[Data[@Name="AuthenticationPackageName"] = "NTLM"] and System[(EventID=4624)]]</Select>
  </Query> 
</QueryList>  


<QueryList>  
  <Query Id="0" Path="Security">
    <Select Path="Security">*[EventData[Data[@Name="AuthenticationPackageName"] = "Kerberos"] and System[(EventID=4624)]]</Select>
  </Query> 
</QueryList>

NTLM

Kerberos

Share:
38,466

Related videos on Youtube

Admin
Author by

Admin

Updated on September 18, 2022

Comments

  • Admin
    Admin over 1 year

    How can I check, from a client machine (in Global Group)(also is local admin), whether the domain controller is authenticating my login request to the domain using NTLM or Kerberos?

    I know that Kerberos is enabled by default, but the domain Admin can always force clients to auth with other Protocols. So i just want to be sure which protocal they are using. Are there any methods to do to check?

    Any help would be appreciated

  • Ryan Ries
    Ryan Ries about 9 years
    Sorry sir but it appears that you didn't answer his question.
  • GuitarPicker
    GuitarPicker about 9 years
    My answer was that by disabling NTLM the OP could determine whether or not the admin had Kerberos blocked or vice versa. Do I need to also explain how to disable NTLM for this to be considered an answer?
  • Ryan Ries
    Ryan Ries about 9 years
    OP never mentioned disabling anything, and disabling NTLM completely isn't even feasible in most scenarios.
  • mfinni
    mfinni about 9 years
    It's technically correct that if you force authentication to only one protocol, by definition you will know what protocol is in use. That is not a very useful answer, of course.
  • GuitarPicker
    GuitarPicker about 9 years
    I understand that disabling NTLM completely may break some programs, but it is still a valid way to temporarily test to see if the domain admin is forcing authentication using some other protocol which is what the OP is trying to determine. If the OP disables NTLM and suddenly can't authenticate, then the admin is most likely forcing NTLM. Likewise if disabling Kerberos instead breaks login, then the admin may be forcing Kerberos. If neither breaks login, then the admin accepts both, and it may be trickier to determine which one is preferred.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Kerberos authentication in IIS 7
Does Firefox support wildcards in NTLM / Negotiate URI's for autologin?
How to investigate windows network lockouts related to Outlook Exchange Server authentication?
Best practice for authenticating DMZ against AD in LAN
IIS7 Windows Authentication Providers
Kerberos Authentication for workstations not on domain
How do you find out if Active Directory is using Kerberos or NTLM?
How to automate kinit process to obtain TGT for Kerberos?
How can I check if my IIS site is using NTLM or Kerberos?
Authenticating OpenBSD against Active Directory