0

I need to show what encryption is being used for kerberos on Windows Server 2008 R2. Is there a command I can run?

Is kerberos also used for local Windows Server account authentication or is it only for Active Directory?

neildeadman
  • 664
  • 2
  • 20
  • 33

1 Answers1

1

You control which encryption types are used by Kerberos in an Active Directory environment. This article details the various places that it can be set.

Kerberos is not used to authenticate access by local accounts. The SAM database on each local machine does. SAM controls local authentication and authorization.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • 1
    In addition to what Mark said, Network trace. You can use netsh.exe, or Wireshark, or Network Monitor, or Message Analyzer. Filter on tcp.Port == 88. (Kerberos KDC.) The negotiated encryption types are clearly visible in the parsed network packets. msDs-supportedEncryptionTypes will show what the accounts theoretically support, but a network trace will show you what is actually being used. Of course those two things will always agree unless something is wrong. – Ryan Ries Dec 12 '17 at 18:38
  • Is there no way to use Kerberos on local accounts then? We have an auditor here who is telling us we have to use Kerberos (not domain joined) and is confusing us. – neildeadman Dec 13 '17 at 08:14
  • @neildeadman ask them how they expect that to occur in your situation. I get the feeling you will get a blank stare or they will tell you to implement Active Directory for those servers. – MDMarra Dec 13 '17 at 10:53
  • @MDMarra Does NTLM use encryption? I read it was MD4 but that seems to old to still be using. Can it be changed to a more modern type? This is Windows Server 2008 R2. – neildeadman Dec 21 '17 at 08:24