tags:

views:

1566

answers:

6

How do you go about checking that an IIS website is successfully using Kerberos and not falling back on NTLM?

+1  A: 

The easiest way that I can think of is to use wireshark to watch the network packets and verify that your IIS server is requesting Kerberos Tickets from your DC.

Alan
Wow. Details please... when you fire up wireshark, what do you look for in the traffic to see that it is NTLM or KERBEROS?
eidylon
+1  A: 

You can check the security log in the event viewer of the web server.

You can also launch KerbTray on the client machine and check if it's using the correct SPN. Kerbtray is available here (don't worry, it's not Win2000 only).

Nico
A: 

One way I found to test in code that you are using Kerberos is that that the HTTP_AUTHORIZATION header for NTLM always starts with the following:

Negotiate TlRMTVNTUA

If the header doesn't start with text then the browser is authenticating using Kerberos.

James Newton-King
A: 

Well, Negotiate can also be Kerberos, because it is a wrapper over Kerberos and NTLM. Like other guys said, Wireshark (or Network Monitor) and Security event log will not cheat you.

Lex Li
+1  A: 

Fiddler2 will indicate if the authentication header is NTLM vs Kerberos.

    Authorization Header (Negotiate) appears to contain a Kerberos ticket:
60 82 13 7B 06 06 2B 06 01 05 05 02 A0 82 13 6F  `‚.{..+..... ‚.o


    WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
A1 81 A0 30 81 9D A0 03 0A 01 00 A1 0B 06 09 2A  ¡ 0 ....¡...*
Christopher_G_Lewis
A: 

I use the security log in the event viewer to check like someone already mentioned. Here is a successful kerb auth:

Successful Network Logon:
User Name: {Username here}
Domain:  {Domain name here}
Logon ID: (0x0,0x########)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: 
Logon GUID: {########-####-####-####-############}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
jsw