How do I tell if Kerberos is being used for AD authentication on Windows 2000 and 2003 domain?

Posted on 2007-10-04
Medium Priority
Last Modified: 2008-05-30
How do I tell if Kerberos is being used for AD authentication on Windows 2000 and 2003 domain?
Question by:ainselyb
LVL 30

Accepted Solution

LauraEHunterMVP earned 2000 total points
ID: 20014484
As long as there are no down-level clients or member servers that can only use NTLM (Windows NT, Windows 95/98), and as long as all communication is taking place between domain-joined machines, Kerberos is the default authentication mechanism in 200/3 AD and will be used at all times.  Down-level clients and/or clients that are joined to a workgroup or an untrusted remote domain will authenticate using NTLM.
LVL 70

Expert Comment

ID: 20014572
If you want to prevent storage of weak NLTM cached credentials see http://support.microsoft.com/kb/299656

Expert Comment

ID: 20014917
Kerberos is enabled by default, but if it is running you should see a Group Policy setting to enforce client logon restrictions. The location is Default Domain Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies/Kerberos Policy and the Enforce User Logon Restrictions setting should be Enabled.

LVL 13

Expert Comment

ID: 20015220
Look in the security event log.  If you are auditing for successful logins you will see when Kerberos is being used and when NTLM is being used.

Expert Comment

ID: 20015925
As Laura mentions, Kerberos will be used by default since it's the default SSP (security support provider).  

Even uplevel clients will use NTLM, however, when talking to devices referenced by IP addresses instead of names, when authenticating against non-domain-joined Windows computers, when crossing externals trusts or when crossing domain/forest boundaries where no trust exists at all.

To determine if Kerberos was used, simply look for the ticket either through its actuall issuance by reviewing event logs on the KDCs (can be cumbersome in larger environments -- depends on the tools at hand) or by examining the local ticket cache on the client in question using say KLIST.EXE or KERBTRAY.EXE.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Let's recap what we learned from yesterday's Skyport Systems webinar.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question