How do I tell if Kerberos is being used for AD authentication on Windows 2000 and 2003 domain?

Posted on 2007-10-04
Last Modified: 2008-05-30
How do I tell if Kerberos is being used for AD authentication on Windows 2000 and 2003 domain?
Question by:ainselyb
    LVL 30

    Accepted Solution

    As long as there are no down-level clients or member servers that can only use NTLM (Windows NT, Windows 95/98), and as long as all communication is taking place between domain-joined machines, Kerberos is the default authentication mechanism in 200/3 AD and will be used at all times.  Down-level clients and/or clients that are joined to a workgroup or an untrusted remote domain will authenticate using NTLM.
    LVL 70

    Expert Comment

    If you want to prevent storage of weak NLTM cached credentials see
    LVL 3

    Expert Comment

    Kerberos is enabled by default, but if it is running you should see a Group Policy setting to enforce client logon restrictions. The location is Default Domain Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies/Kerberos Policy and the Enforce User Logon Restrictions setting should be Enabled.

    LVL 13

    Expert Comment

    Look in the security event log.  If you are auditing for successful logins you will see when Kerberos is being used and when NTLM is being used.
    LVL 9

    Expert Comment

    As Laura mentions, Kerberos will be used by default since it's the default SSP (security support provider).  

    Even uplevel clients will use NTLM, however, when talking to devices referenced by IP addresses instead of names, when authenticating against non-domain-joined Windows computers, when crossing externals trusts or when crossing domain/forest boundaries where no trust exists at all.

    To determine if Kerberos was used, simply look for the ticket either through its actuall issuance by reviewing event logs on the KDCs (can be cumbersome in larger environments -- depends on the tools at hand) or by examining the local ticket cache on the client in question using say KLIST.EXE or KERBTRAY.EXE.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
    Learn about cloud computing and its benefits for small business owners.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now