ainselyb
asked on
How do I tell if Kerberos is being used for AD authentication on Windows 2000 and 2003 domain?
How do I tell if Kerberos is being used for AD authentication on Windows 2000 and 2003 domain?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
If you want to prevent storage of weak NLTM cached credentials see http://support.microsoft.com/kb/299656
Kerberos is enabled by default, but if it is running you should see a Group Policy setting to enforce client logon restrictions. The location is Default Domain Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies/Kerberos Policy and the Enforce User Logon Restrictions setting should be Enabled.
Regards
Regards
Look in the security event log. If you are auditing for successful logins you will see when Kerberos is being used and when NTLM is being used.
As Laura mentions, Kerberos will be used by default since it's the default SSP (security support provider).
Even uplevel clients will use NTLM, however, when talking to devices referenced by IP addresses instead of names, when authenticating against non-domain-joined Windows computers, when crossing externals trusts or when crossing domain/forest boundaries where no trust exists at all.
To determine if Kerberos was used, simply look for the ticket either through its actuall issuance by reviewing event logs on the KDCs (can be cumbersome in larger environments -- depends on the tools at hand) or by examining the local ticket cache on the client in question using say KLIST.EXE or KERBTRAY.EXE.
Even uplevel clients will use NTLM, however, when talking to devices referenced by IP addresses instead of names, when authenticating against non-domain-joined Windows computers, when crossing externals trusts or when crossing domain/forest boundaries where no trust exists at all.
To determine if Kerberos was used, simply look for the ticket either through its actuall issuance by reviewing event logs on the KDCs (can be cumbersome in larger environments -- depends on the tools at hand) or by examining the local ticket cache on the client in question using say KLIST.EXE or KERBTRAY.EXE.