12

How can I check if my IIS site is using NTLM or Kerberos? And how can I change authentication from Kerberos to NTLM? I'm using IIS 7.5.

KlimczakM
  • 223
  • 1
  • 2
  • 7

6 Answers6

12

From:

Determine if HTTP authentication is NTLM or Kerberos
http://support.microsoft.com/kb/891032

[...] "Since we are looking over this trace to see if the client is sending authentication information, we can use the TCP segments to track the HTTP GET requests and the response from the server. Here is a snippet from the frame that sends authentication information from the client:

23 4294967263.4294641621 LOCAL 00045A420DBC HTTP GET Request (from client using port 3135) 192.168.0.2 192.168.0.4 IP 
HTTP: GET Request (from client using port 3135)
  HTTP: Request Method = GET
  HTTP: Uniform Resource Identifier = /webapplication1/webform1.aspx
  HTTP: Protocol Version = HTTP/1.1
  HTTP: Accept = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.
  HTTP: Accept-Language = en-us
  HTTP: Accept-Encoding = gzip, deflate
  HTTP: User-Agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 
  HTTP: Host = alien
  HTTP: Connection = Keep-Alive
  HTTP: Authorization = Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAA
44 77 3D 3D 0D 0A 0D 0A         AAADw==....   

"What does this tell us? We can see that the Authorization header is set to "Negotiate" and we can see a long string of characters sent in that header. This response tells us that the client and the server are negotiating an NTLM connection. We know that NTLM authentication is being used here because the first character is a '"T." If it was a "Y," it would be Kerberos. The header is set to "Negotiate" instead of "NTLM." This does not mean it will use Kerberos or NTLM, but that it will "Negotiate" the authorization method and try Kerberos first if it is able. If it cannot use Kerberos, it will use NTLM."

// if it is Negotiate...
if (String.Compare(Request.ServerVariables["HTTP_AUTHORIZATION"].Substring(10, 1), "Y", true) == 0)
{
    // we are using Kerberos
}
else
{
   // we are using NTLM
}
vgalin
  • 103
  • 3
Greg Askew
  • 34,339
  • 3
  • 52
  • 81
4

If you have access to your IIS server then the answer is much simpler than inspecting HTTP traffic: Simply view the site Authentication module config for Windows Authentication.

  1. In IIS Manager
  2. Select your site
  3. Click on the Authentication module
  4. Select Windows Authentication
  5. Select Providers...

IIS Manager > Site > Authentication module > Providers

JohnC
  • 2,504
  • 3
  • 12
  • 15
1

Found out that microsoft has a really good page about Kerberos.

Here are a lot of pitfalls description when you use Kerberos and Negotiation (for example on localhost the Negotiation use NTLM as default).

If you used dotnet core the server code can looks like that (the code from @pafreire is for the old classic asp and also descripted on the ms page).

private string GetAuthMethodeInfo()
{
        var authType = this.HttpContext.GetServerVariable("AUTH_TYPE")?.ToUpper() ?? string.Empty;
        var authHeader = this.HttpContext.GetServerVariable("HTTP_AUTHORIZATION");
        var lenAuthHeader = authHeader?.Length;
        var protocol = authType.Length ==  0 ? "Anonymous" : authType != "NEGOTIATE" ? authType : lenAuthHeader > 1000 ? "Kerberos" : "NTLM";

        return $"Authentication-Method : {authType} Protocol: {protocol}";
 }
Flo
  • 11
  • 1
1

use the code below in html/asp page:

<%
    authType=UCase(Request.ServerVariables("AUTH_TYPE"))
    authHeader=Request.ServerVariables("HTTP_AUTHORIZATION")
    response.write " Authentication Method : " & authType & "<BR>"
    LenAuthHeader = len(authHeader)
    response.write " Protocol : "
    if Len(authType ) =0 then response.write " Anonymous" else if authType<>"NEGOTIATE" then response.write authType else if LenAuthHeader>1000 then response.write "Kerberos" else response.write "NTLM"
%> 
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
pafreire
  • 11
  • 1
0

In your HTTP Request Header (you can see it from Firebug, Chrome Dev Tool or Fiddler) you will see something like this if you use NTLM

Authorization: NTLM=TlRMTVNTGD6XAAAAGAAYAG425qAAYABgAhgAAAAAAAABIAAAADgAOAEgAAAAYABgAVgAAAAAAAACeAAAABYKIogUBKAoAAAAPcwBpAG0AcABsAGkAcABOADMAUgBXAEsAVwBBAEwAVABFAFIAQQAzVtleqNj7HAAAAAAAAAAAAAAAAAAAAACW3g66aPaiileWScIYweBj6fs2iGY/ta3=

From IIS management panel, you can go Authentication and choose the authentication you prefer.

0

That answer isn't quite complete. There are two ways the connection can use NTLM. One is via the WWW-Authenticate method "NTLM"; the other is via Negotiate. Negotiate uses GSSAPI, which in turn can use various mechanisms; on Windows, this includes both Kerberos and NTLM.

Wireshark can decode all of this and show you quickly what's going on, assuming you're not using TLS. If you are, you can arrange that Wireshark be able to decrypt the TLS traffic; it just takes some extra effort.