How do you go about checking that an IIS website is successfully using Kerberos and not falling back on NTLM?
The easiest way that I can think of is to use wireshark to watch the network packets and verify that your IIS server is requesting Kerberos Tickets from your DC.
One way I found to test in code that you are using Kerberos is that that the HTTP_AUTHORIZATION header for NTLM always starts with the following:
Negotiate TlRMTVNTUA
If the header doesn't start with text then the browser is authenticating using Kerberos.
Well, Negotiate can also be Kerberos, because it is a wrapper over Kerberos and NTLM. Like other guys said, Wireshark (or Network Monitor) and Security event log will not cheat you.
Fiddler2 will indicate if the authentication header is NTLM vs Kerberos.
Authorization Header (Negotiate) appears to contain a Kerberos ticket:
60 82 13 7B 06 06 2B 06 01 05 05 02 A0 82 13 6F `.{..+..... .o
WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
A1 81 A0 30 81 9D A0 03 0A 01 00 A1 0B 06 09 2A ¡ 0 ....¡...*
I use the security log in the event viewer to check like someone already mentioned. Here is a successful kerb auth:
Successful Network Logon:
User Name: {Username here}
Domain: {Domain name here}
Logon ID: (0x0,0x########)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {########-####-####-####-############}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.