none
Check for Kerberos ticket RRS feed

  • Question

  • Really simple question.  How can I check that a certain user is using Kerberos authenitcation and not falling back to NTLM authentication?

    Would it be as simple as getting the user to run klist on their local machine?  Because klist will not show NTLM tickets correct?  It only shows kerberos tickets?

    • Edited by jadedpuppy Tuesday, January 8, 2013 3:15 PM
    Tuesday, January 8, 2013 3:05 PM

Answers

  • There is potential risk in disabling the NTLM.

    A bit deep:

    SMB protocol which is the file system protocol used by Microsoft ( based on CIFS ) is used when any of the operating system references the file system activities that includes both rdbss.sys / rdr.sys file for accessing the file shares followed by srv.sys / mup.sys , Kerberos.dll , ntlm ( many other supporting user mode dlls)

    For accessing file share operations that are referenced either using OS shell or through USer mode applications, the api call will be referenced to rdr.sys which calls ksecdd.sys ( kernel security interface ) which transfers the request to NTLM and then to LSASS  to perform the user authentications

    Bit deeper:

    SMB protocol relies on kernel security interface to generate the valid ntlm packet or token and these token further gets used by different protocols which may be namepipe or the RPC communications.

    ===========================================================

    Back to your question:

    its not advised to block NTLM in pure windows environment - what are you trying to achieve by monitoring NTLM vs Kerberos responses ?

    Thursday, January 10, 2013 2:04 AM

All replies

  • Hi,

    take a look:
    http://blogs.technet.com/b/askds/archive/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7.aspx

    "jadedpuppy" wrote in message news:31094228-82f1-4d2c-bd89-32f039ab65ce@communitybridge.codeplex.com...

    Really simple question.  How can I check that a certain user is using Kerberos authenitcation and not falling back to NTLM authentication?

    Would it be as simple as getting the user to run klist on their local machine?  Because klist will not show NTLM tickets correct?  It only shows kerberos tickets?


    Best Regards, Alexander Trofimov
    Tuesday, January 8, 2013 3:19 PM
  • Hi,

    take a look:
    http://blogs.technet.com/b/askds/archive/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7.aspx

    "jadedpuppy" wrote in message news:31094228-82f1-4d2c-bd89-32f039ab65ce@communitybridge.codeplex.com...

    Really simple question.  How can I check that a certain user is using Kerberos authenitcation and not falling back to NTLM authentication?

    Would it be as simple as getting the user to run klist on their local machine?  Because klist will not show NTLM tickets correct?  It only shows kerberos tickets?


    Best Regards, Alexander Trofimov

    This is basically to enable NTLM auditing and block NTLM traffic.  We do not have this auditing turned on, as our DCs are 2008, and not 2008R2.
    Tuesday, January 8, 2013 3:30 PM
  • Then I don't know any other way besides sniffing the traffic. Probably someone else can tell you more.
    And, if your clients are at least Windows 7, please consider configuring the audit policies just for clients, it seems like even this kind of audit can help.

    "jadedpuppy" wrote in message news:de152141-d768-44bc-958d-445c2abf855c@communitybridge.codeplex.com...

    Hi,

    take a look:
    http://blogs.technet.com/b/askds/archive/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7.aspx

    "jadedpuppy" wrote in message news:31094228-82f1-4d2c-bd89-32f039ab65ce@communitybridge.codeplex.com...

    Really simple question.  How can I check that a certain user is using Kerberos authenitcation and not falling back to NTLM authentication?

    Would it be as simple as getting the user to run klist on their local machine?  Because klist will not show NTLM tickets correct?  It only shows kerberos tickets?


    Best Regards, Alexander Trofimov

    This is basically to enable NTLM auditing and block NTLM traffic.  We do not have this auditing turned on, as our DCs are 2008, and not 2008R2.


    Best Regards, Alexander Trofimov
    Tuesday, January 8, 2013 3:41 PM
  • if we are talking about web based resources, have a look at the following:
     
    the security event log on the DC should also tell you what authentication protocol has been used
     

    Cheers,


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <>

    "jadedpuppy" wrote in message news:31094228-82f1-4d2c-bd89-32f039ab65ce@communitybridge.codeplex.com...

    Really simple question.  How can I check that a certain user is using Kerberos authenitcation and not falling back to NTLM authentication?

    Would it be as simple as getting the user to run klist on their local machine?  Because klist will not show NTLM tickets correct?  It only shows kerberos tickets?


    Jorge de Almeida Pinto [MVP-DS] | Principal Consultant | BLOG: http://jorgequestforknowledge.wordpress.com/
    Tuesday, January 8, 2013 7:28 PM
    Moderator
  • I've read a couple places that I need NTLM auditing enabled to see the NTLM authentication requests, as shown here: http://blogs.technet.com/b/askds/archive/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7.aspx  The problem is that this appears to be only for 2008 R2 DCs, and our DCs are still 2008. 

    Additionally, it appears that auditing/blocking NTLM isnot recommended for environments with 2008 in them.  We have a situation where we want to block/audit NTLM traffic on one client, and that client will be authenticating to a 2008 DC.  Is this possible?

    We want to do this to see if the user is actually using NTLM or if they are using kerberos.

    Tuesday, January 8, 2013 8:26 PM
  • There is potential risk in disabling the NTLM.

    A bit deep:

    SMB protocol which is the file system protocol used by Microsoft ( based on CIFS ) is used when any of the operating system references the file system activities that includes both rdbss.sys / rdr.sys file for accessing the file shares followed by srv.sys / mup.sys , Kerberos.dll , ntlm ( many other supporting user mode dlls)

    For accessing file share operations that are referenced either using OS shell or through USer mode applications, the api call will be referenced to rdr.sys which calls ksecdd.sys ( kernel security interface ) which transfers the request to NTLM and then to LSASS  to perform the user authentications

    Bit deeper:

    SMB protocol relies on kernel security interface to generate the valid ntlm packet or token and these token further gets used by different protocols which may be namepipe or the RPC communications.

    ===========================================================

    Back to your question:

    its not advised to block NTLM in pure windows environment - what are you trying to achieve by monitoring NTLM vs Kerberos responses ?

    Thursday, January 10, 2013 2:04 AM
  • Hi,

     

    I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

    Regards,

     

    Arthur Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Arthur Li

    TechNet Community Support

    Monday, January 21, 2013 1:52 AM
    Moderator