How do you go about checking that an IIS website is successfully using Kerberos and not falling back on NTLM?
+1
A:
The easiest way that I can think of is to use wireshark to watch the network packets and verify that your IIS server is requesting Kerberos Tickets from your DC.
Alan
2008-11-25 04:58:17
Wow. Details please... when you fire up wireshark, what do you look for in the traffic to see that it is NTLM or KERBEROS?
eidylon
2009-08-06 20:19:22
A:
One way I found to test in code that you are using Kerberos is that that the HTTP_AUTHORIZATION header for NTLM always starts with the following:
Negotiate TlRMTVNTUA
If the header doesn't start with text then the browser is authenticating using Kerberos.
James Newton-King
2008-11-25 23:24:27
A:
Well, Negotiate can also be Kerberos, because it is a wrapper over Kerberos and NTLM. Like other guys said, Wireshark (or Network Monitor) and Security event log will not cheat you.
Lex Li
2008-11-29 11:31:07
+1
A:
Fiddler2 will indicate if the authentication header is NTLM vs Kerberos.
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
60 82 13 7B 06 06 2B 06 01 05 05 02 A0 82 13 6F `.{..+..... .o
WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
A1 81 A0 30 81 9D A0 03 0A 01 00 A1 0B 06 09 2A ¡ 0 ....¡...*
Christopher_G_Lewis
2009-03-03 03:58:19
A:
I use the security log in the event viewer to check like someone already mentioned. Here is a successful kerb auth:
Successful Network Logon:
User Name: {Username here}
Domain: {Domain name here}
Logon ID: (0x0,0x########)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {########-####-####-####-############}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
jsw
2009-03-03 04:09:28