Link to home
Create AccountLog in
Avatar of ainselyb
ainselyb

asked on

How do I tell if Kerberos is being used for AD authentication on Windows 2000 and 2003 domain?

How do I tell if Kerberos is being used for AD authentication on Windows 2000 and 2003 domain?
ASKER CERTIFIED SOLUTION
Avatar of LauraEHunterMVP
LauraEHunterMVP
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Brian Pierce
If you want to prevent storage of weak NLTM cached credentials see http://support.microsoft.com/kb/299656
Avatar of DavidBCS
DavidBCS

Kerberos is enabled by default, but if it is running you should see a Group Policy setting to enforce client logon restrictions. The location is Default Domain Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies/Kerberos Policy and the Enforce User Logon Restrictions setting should be Enabled.

Regards
Look in the security event log.  If you are auditing for successful logins you will see when Kerberos is being used and when NTLM is being used.
As Laura mentions, Kerberos will be used by default since it's the default SSP (security support provider).  

Even uplevel clients will use NTLM, however, when talking to devices referenced by IP addresses instead of names, when authenticating against non-domain-joined Windows computers, when crossing externals trusts or when crossing domain/forest boundaries where no trust exists at all.

To determine if Kerberos was used, simply look for the ticket either through its actuall issuance by reviewing event logs on the KDCs (can be cumbersome in larger environments -- depends on the tools at hand) or by examining the local ticket cache on the client in question using say KLIST.EXE or KERBTRAY.EXE.