Is there a command line program you can use?
-
I don't have access to the Domain Controller, just other clients. – LeWoody Jun 25 '09 at 20:51
-
Download Thunderbird mail client and enter in your login information, Thunderbird will auto-discover if Active Directory is using Kerberos or NTLM. – Eric Leschinski Aug 04 '13 at 14:01
8 Answers
I think question should be twisted on its head. Active Directory supports both Kerberos and NTLM. Windows will first try Kerberos and if all requirements are not met it will fallback to NTLM.
I will give you example, accessing file share by name like \server1\share would invoke Kerberos and should succeed given proper permision. But accessing same file share using IP address would invoke Kerberos first and fail (as there is no SPN for IP Address) and then fail over to NTLM.
So determine how your program is trying to authenticate against AD and should tell you which protocol is being used.
I would be curious to know, what prompted to ask you this question.
- 994
- 4
- 12
You can view the list of active Kerberos tickets to see if there is one for the service of interest, e.g. by running klist.exe.
There's also a way to log Kerberos events if you hack the registry.
- 214
- 2
- 8
- 428
- 2
- 4
You should really be auditing logon events, whether the computer is a server or workstation. It's helpful to figure out which users are accessing your system, and to troubleshoot security related issues.
You can modify your Audit Policy with Group Policy: Start...Run...gpedit.msc...Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy, "Audit logon events". Check the "Success" and "Failure" check boxes. Try logging out and logging in to see some typical 540 events in your Windows Security Event Log.
- 748
- 4
- 10
Netstat shows all listening TCP and UDP connections. using the option -na is for all connections and no resolution of names or ports. 'b' option is to show the program assiciated with it. If DNS is running it may show alot of other connections so you might want to also specify TCP.
Kerberos is most definately running if its a deploy Active Directory Domain Controller.
netstat -nab
- 394
- 2
- 9
Assuming you're auditing logon events, check your security event log and look for 540 events. They will tell you whether a specific authentication was done with Kerberos or NTLM.
- 4,948
- 12
- 48
- 70
public string FindAllUsers()
{
string strReturn="";
try
{
DirectoryEntry directoryEntry = new DirectoryEntry("WinNT://" + Environment.UserDomainName);
string userNames = "";
string authenticationType = "";
foreach (DirectoryEntry child in directoryEntry.Children)
{
if (child.SchemaClassName == "User")
{
userNames += child.Name + Environment.NewLine; //Iterates and binds all user using a newline
authenticationType += child.Username + Environment.NewLine;
}
}
strReturn = userNames + "\n\n" + authenticationType;
//Console.WriteLine("************************Users************************");
//Console.WriteLine(userNames);
//Console.WriteLine("*****************Authentication Type*****************");
//Console.WriteLine(authenticationType);
}
catch (Exception)
{
Console.WriteLine("Network error occured.");
strReturn = "";
}
return strReturn;
}
- 97,248
- 13
- 177
- 225
You can try this tool. http://blog.michelbarneveld.nl/media/p/33.aspx
This is a tool to test Authentication on websites. It will show what authentication type is used: Kerberos, NTLM, basic, none. But it also shows other information like: SPN used, HTTP headers, decrypted NTLM and Kerberos authorization headers. And it can also show and delete your Kerberos Tickets.
- 1
- 1
Depends on the client/server that is involved. For example, there is a web page (sorry, don't have time to search for it now) you can put on a web site that will tell you if kerberos or NTLM was used. However I know of no way to tell what authentication method SQL server has used. Although as has been sugegsted before, the security log may tell you.
Why are you trying to find out?
- 1,152
- 5
- 7