Check Primary Authentication Protocol for Active Directory (NTLM or Kerberos?) [duplicate]

authentication active-directory kerberos ntlm

How can I check, from a client machine (in Global Group)(also is local admin), whether the domain controller is authenticating my login request to the domain using NTLM or Kerberos?

I know that Kerberos is enabled by default, but the domain Admin can always force clients to auth with other Protocols. So i just want to be sure which protocal they are using. Are there any methods to do to check?

Any help would be appreciated


Greg's answer is alright, but your question specifically states that you want to check this from the client, not from the domain controller. So I'll take a crack at it.

First way, enable Kerberos logging on your client:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    LogLevel DWORD 0x1

Once Kerberos logging is enabled, then, log into stuff and watch the event log. If you're using Kerberos, then you'll see the activity in the event log. If you are passing your credentials and you don't see any Kerberos activity in the event log, then you're using NTLM.

Second way, you can use the klist.exe utility to see your current Kerberos tickets. This will definitely help you if you are authenticating to a service for the first time, because you will be getting a new ticket... but for subsequent authentications to the same service, you can reuse the same ticket, and so klist.exe may be of limited use to you.

Third way, watch the authentication happen with Wireshark.


One way would be to check the domain controller Security event log for Event ID 4624 (logon) events, where the AuthenticationPackageName is NTLM or Kerberos. You should also verify that your Domain Controllers have auditing enabled, and are capturing the required auditing events.

You can create custom Event Viewer filters to make this easier, and filter on other fields like the username or workstation name:

<QueryList>  
  <Query Id="0" Path="Security">
    <Select Path="Security">*[EventData[Data[@Name="AuthenticationPackageName"] = "NTLM"] and System[(EventID=4624)]]</Select>
  </Query> 
</QueryList>  


<QueryList>  
  <Query Id="0" Path="Security">
    <Select Path="Security">*[EventData[Data[@Name="AuthenticationPackageName"] = "Kerberos"] and System[(EventID=4624)]]</Select>
  </Query> 
</QueryList>

NTLM

Kerberos

Related

How can I restart a IIS site by using appcmd commands?
Postfix : How to reject sender addresses that don't exist only for local domains
In server 2008 R2, if I run an app in administrator's mode, will child process still be in the same mode?
Centos 7 autofs mount doesn't work right after reboot
probing EDD boot message stays for ten minutes on centos 6.6
openshift : unable to write 'random state'
How to trace file access with dtrace on solaris
TCP timeout for established connections in Windows
lxd container: port forwarding like docker
How to extend LVM PV to the beginning of disk?
SSH X11 forwarding is extremely slow over VPN
How to configure Fedora / RedHat / CentOS to delete files in /tmp on boot