How do you find out if Active Directory is using Kerberos or NTLM?

Is there a command line program you can use?


Solution 1:

I think question should be twisted on its head. Active Directory supports both Kerberos and NTLM. Windows will first try Kerberos and if all requirements are not met it will fallback to NTLM.

I will give you example, accessing file share by name like \server1\share would invoke Kerberos and should succeed given proper permision. But accessing same file share using IP address would invoke Kerberos first and fail (as there is no SPN for IP Address) and then fail over to NTLM.

So determine how your program is trying to authenticate against AD and should tell you which protocol is being used.

I would be curious to know, what prompted to ask you this question.

Solution 2:

You can view the list of active Kerberos tickets to see if there is one for the service of interest, e.g. by running klist.exe.

There's also a way to log Kerberos events if you hack the registry.

Solution 3:

You should really be auditing logon events, whether the computer is a server or workstation. It's helpful to figure out which users are accessing your system, and to troubleshoot security related issues.

You can modify your Audit Policy with Group Policy: Start...Run...gpedit.msc...Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy, "Audit logon events". Check the "Success" and "Failure" check boxes. Try logging out and logging in to see some typical 540 events in your Windows Security Event Log.