How do I tell if Kerberos is being used for AD authentication on Windows 2000 and 2003 domain?

How do I tell if Kerberos is being used for AD authentication on Windows 2000 and 2003 domain?
ainselybAsked:
Who is Participating?
 
LauraEHunterMVPConnect With a Mentor Commented:
As long as there are no down-level clients or member servers that can only use NTLM (Windows NT, Windows 95/98), and as long as all communication is taking place between domain-joined machines, Kerberos is the default authentication mechanism in 200/3 AD and will be used at all times.  Down-level clients and/or clients that are joined to a workgroup or an untrusted remote domain will authenticate using NTLM.
0
 
Brian PiercePhotographerCommented:
If you want to prevent storage of weak NLTM cached credentials see http://support.microsoft.com/kb/299656
0
 
DavidBCSCommented:
Kerberos is enabled by default, but if it is running you should see a Group Policy setting to enforce client logon restrictions. The location is Default Domain Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Account Policies/Kerberos Policy and the Enforce User Logon Restrictions setting should be Enabled.

Regards
0
 
ocon827679Commented:
Look in the security event log.  If you are auditing for successful logins you will see when Kerberos is being used and when NTLM is being used.
0
 
MSE-dwellsCommented:
As Laura mentions, Kerberos will be used by default since it's the default SSP (security support provider).  

Even uplevel clients will use NTLM, however, when talking to devices referenced by IP addresses instead of names, when authenticating against non-domain-joined Windows computers, when crossing externals trusts or when crossing domain/forest boundaries where no trust exists at all.

To determine if Kerberos was used, simply look for the ticket either through its actuall issuance by reviewing event logs on the KDCs (can be cumbersome in larger environments -- depends on the tools at hand) or by examining the local ticket cache on the client in question using say KLIST.EXE or KERBTRAY.EXE.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.