How to verify Kerberos Authentication

Joe Green 146 Reputation points
2023-01-10T17:46:33.503+00:00

Hello,

I've two asp.net MVC applications that uses custom authentication meaning user is authenticated against Active Directory using a web form. Web form has fields like domain, windows username and password. ApplicationCookie is used for authorization. on IIS, for both the applications, windows authentication is disabled.

In one application, the following is used

 isAuthenticated = oPrincipalContext.ValidateCredentials(username, password, ContextOptions.Negotiate);

and in another

 isAuthenticated = oPrincipalContext.ValidateCredentials(username, password, ContextOptions.Negotiate | ContextOptions.Sealing);

Is the authentication done using Kerberos or something else? Is there a way to find out?

Thanks

Windows development | Internet Information Services
Developer technologies | ASP.NET | Other
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Bruce (SqlWork.com) 77,766 Reputation points Volunteer Moderator
    2023-01-10T18:58:42.983+00:00

    it does not use kerberos. it is a call to to windows active directory services api to validate a user.

    https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-7.0

    note: for non windows clients, you would use a LDAP client library

    2 people found this answer helpful.

  2. Yurong Dai-MSFT 2,846 Reputation points Microsoft External Staff
    2023-01-11T09:03:41.77+00:00

    Hi @Joe Green,

    Active Directory authentication supports both Kerberos and NTLM. Windows will try to use Kerberos first, and if the requirements are not met, it will fall back to NTLM. To verify whether Active Directory is using Kerberos or NTLM, you can use the following methods.

    Method 1:

    Check the login event ID = 4624 in the security event log of the domain controller. where AuthenticationPackageName is NTLM or Kerberos. You need to verify that your domain controllers have auditing enabled and are capturing the required audit events.

    Method 2:

    Enable Kerberos logging on your client, if you don't know how to enable Kerberos event logging, please refer to this document. After enabling logging, log into stuff and view the event log. If you are using Kerberos, you will see this activity in the event log. If you are passing credentials and don't see any Kerberos activity in the event log, then you are using NTLM.


    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the email notification for this thread.

    Best regards,

    Yurong Dai

    1 person found this answer helpful.
    0 comments No comments

  3. SurferOnWww 4,706 Reputation points
    2023-01-11T01:01:26.613+00:00

    > Is the authentication done using Kerberos or something else? Is there a way to find out?

    Can the following Microsoft document help?

    Two easy ways to pick Kerberos from NTLM in an HTTP capture https://learn.microsoft.com/ja-jp/archive/blogs/tristank/two-easy-ways-to-pick-kerberos-from-ntlm-in-an-http-capture

    0 comments No comments

  4. Joe Green 146 Reputation points
    2023-01-11T15:40:29.0833333+00:00

    Method 1 is not possible that I do not have access to domain controller logs. I tried using Fiddler Classic but so far cannot definitely say that application is using Kerberos. As per the MS documentation https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement.contextoptions?view=dotnet-plat-ext-7.0, if one is using Sealing and Negotiate, then chances are kerberos is used. Is there as way to write code to find out if Kerberos is used? I want to make sure that these apps are not using LDAP but kerberos.

    Bruce says that these apps are using windows active directory services api to validate user. What protocol these API's are using to validate user? Hopefully not LDAP.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.