1

i've been having issues where calls to the LogonUser Windows API function is falling back to NTLM authentication, rather than using the preferred, default, Kerberos authentication.

Researching the problem, a guy has a suggestion:

The thing to do is to figure out why the code is using NTLM instead of Kerberos in the first place since Kerberos is the default and to try to see if it can be changed to make it use Kerberos. A couple of things come to mind:

  • The client machine must be domain joined to use Kerberos

Now i've never heard of being domain joined to use Kerberos. Either you're joined to an Active Directory domain, or not, right?

In this case the machine is joined to an Active Directory domain, e.g.:

contoso.local

What does it mean to be "domain joined to use Kerberos"; and how do i ensure that my machine is?

Community
  • 1
Ian Boyd
  • 5,131
  • 14
  • 57
  • 79

4 Answers4

2

Whenever I've heard or used the term "domain joined" it has meant "The state of being joined to an Active Directory domain".

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • Well there was the pre-Windows 2000 days, before *Active Directory* domains, where you were just joined to a domain. And there were primary domain controlls, and backup domain controllers. But your point is taken - i don't know what "joined to use kerberos" could mean. – Ian Boyd Apr 30 '12 at 21:33
2

It took a sleep to understand @TheCleaner and @HarryJohnston 's comments.

The original author's point was so blindingly obvious that my brain was looking for the real meaning.

Kerberos authentication only works in an Active Directory domain (henceforth referred to as a domain). 

Machine Joined to        Logon Types available
=====================    ================================
Workgroup                NTLM
Windows NT 4 domain      NTLM
Active Directory domain  Kerberos (with fallback to NTLM)

The only way you can even hope to use Kerberos is if you are joined to an Active Directory domain.

Which i would have thought is so fundamental that it's not even in question.

But there's the advice.

Ian Boyd
  • 5,131
  • 14
  • 57
  • 79
0

To see if a machine is using kerberos authentication you can use "Kerberos Tray" and klist and take a look if you can see a KTG (kerberos ticket granting ticket). If you see this, that means that you are "joined" to a kerberos domain.

Kerberos Tray and Kerberos List klist are included in the Windows Server 2003 Resource Kit and the Windows 2000 Resource Kit.

See also: http://technet.microsoft.com/en-us/library/cc738673%28v=ws.10%29.aspx

Mircea Vutcovici
  • 16,706
  • 4
  • 52
  • 80
-1

I've run into an issue where NTLM fallback was forced due to port 88 being blocked, that was an odd configuration in a DMZ that won't relate to your issue, but the useful point is that we determined the reason for the fallback by doing network traces. We could observe exactly the IP and port the Kerberos request was being attempted against (and failing), 3 sets of packets, followed by an NTLM request when failback occurred. In THAT case we just needed a port opened, your situation will likely be different but the information in the trace should help you sleuth the cause for fallback.

Trevor Fondren
  • 1