How can I check if my IIS site is using NTLM or Kerberos?

Solution 1:

From:

Determine if HTTP authentication is NTLM or Kerberos
http://support.microsoft.com/kb/891032

[...] "Since we are looking over this trace to see if the client is sending authentication information, we can use the TCP segments to track the HTTP GET requests and the response from the server. Here is a snippet from the frame that sends authentication information from the client:

23 4294967263.4294641621 LOCAL 00045A420DBC HTTP GET Request (from client using port 3135) 192.168.0.2 192.168.0.4 IP 
HTTP: GET Request (from client using port 3135)
  HTTP: Request Method = GET
  HTTP: Uniform Resource Identifier = /webapplication1/webform1.aspx
  HTTP: Protocol Version = HTTP/1.1
  HTTP: Accept = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.
  HTTP: Accept-Language = en-us
  HTTP: Accept-Encoding = gzip, deflate
  HTTP: User-Agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 
  HTTP: Host = alien
  HTTP: Connection = Keep-Alive
  HTTP: Authorization = Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAA
44 77 3D 3D 0D 0A 0D 0A         AAADw==....   

"What does this tell us? We can see that the Authorization header is set to "Negotiate" and we can see a long string of characters sent in that header. This response tells us that the client and the server are negotiating an NTLM connection. We know that NTLM authentication is being used here because the first character is a '"T." If it was a "Y," it would be Kerberos. The header is set to "Negotiate" instead of "NTLM." This does not mean it will use Kerberos or NTLM, but that it will "Negotiate" the authorization method and try Kerberos first if it is able. If it cannot use Kerberos, it will use NTLM."

// if it is Negotiate...
if (String.Compare(Request.ServerVariables["HTTP_AUTHORIZATION"].Substring(10, 1), "Y", true) == 0)
{
    // we are using Kerberos
}
else
{
   // we are using NTLM
}

Solution 2:

If you have access to your IIS server then the answer is much simpler than inspecting HTTP traffic: Simply view the site Authentication module config for Windows Authentication.

  1. In IIS Manager
  2. Select your site
  3. Click on the Authentication module
  4. Select Windows Authentication
  5. Select Providers...

IIS Manager > Site > Authentication module > Providers

Solution 3:

use the code below in html/asp page:

<%
    authType=UCase(Request.ServerVariables("AUTH_TYPE"))
    authHeader=Request.ServerVariables("HTTP_AUTHORIZATION")
    response.write " Authentication Method : " & authType & "<BR>"
    LenAuthHeader = len(authHeader)
    response.write " Protocol : "
    if Len(authType ) =0 then response.write " Anonymous" else if authType<>"NEGOTIATE" then response.write authType else if LenAuthHeader>1000 then response.write "Kerberos" else response.write "NTLM"
%> 

Solution 4:

Found out that microsoft has a really good page about Kerberos.

Here are a lot of pitfalls description when you use Kerberos and Negotiation (for example on localhost the Negotiation use NTLM as default).

If you used dotnet core the server code can looks like that (the code from @pafreire is for the old classic asp and also descripted on the ms page).

private string GetAuthMethodeInfo()
{
        var authType = this.HttpContext.GetServerVariable("AUTH_TYPE")?.ToUpper() ?? string.Empty;
        var authHeader = this.HttpContext.GetServerVariable("HTTP_AUTHORIZATION");
        var lenAuthHeader = authHeader?.Length;
        var protocol = authType.Length ==  0 ? "Anonymous" : authType != "NEGOTIATE" ? authType : lenAuthHeader > 1000 ? "Kerberos" : "NTLM";

        return $"Authentication-Method : {authType} Protocol: {protocol}";
 }