1,746 questions
it does not use kerberos. it is a call to to windows active directory services api to validate a user.
note: for non windows clients, you would use a LDAP client library
How to verify Kerberos Authentication
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 82%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJG%3C/text%3E%3C/svg%3E)
Joe Green
146
Reputation points
Hello,
I've two asp.net MVC applications that uses custom authentication meaning user is authenticated against Active Directory using a web form. Web form has fields like domain, windows username and password. ApplicationCookie is used for authorization. on IIS, for both the applications, windows authentication is disabled.
In one application, the following is used
isAuthenticated = oPrincipalContext.ValidateCredentials(username, password, ContextOptions.Negotiate);
and in another
isAuthenticated = oPrincipalContext.ValidateCredentials(username, password, ContextOptions.Negotiate | ContextOptions.Sealing);
Is the authentication done using Kerberos or something else? Is there a way to find out?
Thanks
Windows development | Internet Information Services
Developer technologies | ASP.NET | Other
3,600 questions
4 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bruce (SqlWork.com) 77,926 Reputation points Volunteer Moderator2023-01-10T18:58:42.983+00:00 -
Joe Green 146 Reputation points
2023-01-10T19:11:17.233+00:00 All my clients are windows users. Doesn't (ContextOptions.Negotiate | ContextOptions.Sealing) mean use Kerberos? Does windows active directory services api use LDAP?
-
Bruce (SqlWork.com) 77,926 Reputation points Volunteer Moderator
2023-01-13T00:05:05.9933333+00:00 the ContextOptions are only used when the username and password are not specified (login as the current user). this does not make much sense on web server as the context user would be the app domain user.
the directory services library used by ValidateCredentials uses a variant of LDAP called AD LDS and is proprietary.
the actual AD server supports LADP, AD LDS and keberos.
note: there are requests to covert the directory service library used by ValidateCredentials to LDAP so it will work cross platform.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 70%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYD%3C/text%3E%3C/svg%3E)
Yurong Dai-MSFT 2,846 Reputation points Microsoft External Staff2023-01-11T09:03:41.77+00:00 Hi @Joe Green,
Active Directory authentication supports both Kerberos and NTLM. Windows will try to use Kerberos first, and if the requirements are not met, it will fall back to NTLM. To verify whether Active Directory is using Kerberos or NTLM, you can use the following methods.
Method 1:
Check the login event ID = 4624 in the security event log of the domain controller. where
AuthenticationPackageNameisNTLMorKerberos. You need to verify that your domain controllers have auditing enabled and are capturing the required audit events.Method 2:
Enable Kerberos logging on your client, if you don't know how to enable Kerberos event logging, please refer to this document. After enabling logging, log into stuff and view the event log. If you are using Kerberos, you will see this activity in the event log. If you are passing credentials and don't see any Kerberos activity in the event log, then you are using NTLM.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the email notification for this thread.
Best regards,
Yurong Dai
-
SurferOnWww 4,711 Reputation points2023-01-11T01:01:26.613+00:00 > Is the authentication done using Kerberos or something else? Is there a way to find out?
Can the following Microsoft document help?
Two easy ways to pick Kerberos from NTLM in an HTTP capture https://learn.microsoft.com/ja-jp/archive/blogs/tristank/two-easy-ways-to-pick-kerberos-from-ntlm-in-an-http-capture
-
Joe Green 146 Reputation points
2023-01-11T15:40:29.0833333+00:00 Method 1 is not possible that I do not have access to domain controller logs. I tried using Fiddler Classic but so far cannot definitely say that application is using Kerberos. As per the MS documentation https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement.contextoptions?view=dotnet-plat-ext-7.0, if one is using Sealing and Negotiate, then chances are kerberos is used. Is there as way to write code to find out if Kerberos is used? I want to make sure that these apps are not using LDAP but kerberos.
Bruce says that these apps are using windows active directory services api to validate user. What protocol these API's are using to validate user? Hopefully not LDAP.
-
Bruce (SqlWork.com) 77,926 Reputation points Volunteer Moderator
2023-01-11T17:46:40.3433333+00:00 it is the Active Directory variant of LDAP .
if you want kerberos authentication, then you would need to configure IIS to handle the authentication. setup windows authentication and only enable negotiate (remove ntlm as an option).
note: in IIS kerberos is windows authentication: negotiate
Sign in to comment -