Testing that a website is using Kerberos authentication

Question

How do you go about checking that an IIS website is successfully using Kerberos and not falling back on NTLM?

Answer 1

I use the security log in the event viewer to check like someone already mentioned. Here is a successful kerb auth:

Successful Network Logon:
User Name:  {Username here}
Domain:     {Domain name here}
Logon ID:   (0x0,0x########)
Logon Type: 3
Logon Process:  Kerberos
Authentication Package: Kerberos
Workstation Name:   
Logon GUID: {########-####-####-####-############}
Caller User Name:   -
Caller Domain:  -
Caller Logon ID:    -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port:    -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Answer 2

Fiddler2 will indicate if the authentication header is NTLM vs Kerberos.

    Authorization Header (Negotiate) appears to contain a Kerberos ticket:
60 82 13 7B 06 06 2B 06 01 05 05 02 A0 82 13 6F  `.{..+..... .o

---

    WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:
A1 81 A0 30 81 9D A0 03 0A 01 00 A1 0B 06 09 2A  ¡ 0 ....¡...*

Answer 3

Well, Negotiate can also be Kerberos, because it is a wrapper over Kerberos and NTLM. Like other guys said, Wireshark (or Network Monitor) and Security event log will not cheat you.

Answer 4

One way I found to test in code that you are using Kerberos is that that the HTTP_AUTHORIZATION header for NTLM always starts with the following:

Negotiate TlRMTVNTUA

If the header doesn't start with text then the browser is authenticating using Kerberos.

Answer 5

You can check the security log in the event viewer of the web server.

You can also launch KerbTray on the client machine and check if it's using the correct SPN. Kerbtray is available here (don't worry, it's not Win2000 only).

Answer 6

The easiest way that I can think of is to use wireshark to watch the network packets and verify that your IIS server is requesting Kerberos Tickets from your DC.