This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 82%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJG%3C/text%3E%3C/svg%3E)
Hello,
I've two asp.net MVC applications that uses custom authentication meaning user is authenticated against Active Directory using a web form. Web form has fields like domain, windows username and password. ApplicationCookie is used for authorization. on IIS, for both the applications, windows authentication is disabled.
In one application, the following is used
isAuthenticated = oPrincipalContext.ValidateCredentials(username, password, ContextOptions.Negotiate);
and in another
isAuthenticated = oPrincipalContext.ValidateCredentials(username, password, ContextOptions.Negotiate | ContextOptions.Sealing);
Is the authentication done using Kerberos or something else? Is there a way to find out?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
it does not use kerberos. it is a call to to windows active directory services api to validate a user.
note: for non windows clients, you would use a LDAP client library
All my clients are windows users. Doesn't (ContextOptions.Negotiate | ContextOptions.Sealing) mean use Kerberos? Does windows active directory services api use LDAP?
the ContextOptions are only used when the username and password are not specified (login as the current user). this does not make much sense on web server as the context user would be the app domain user.
the directory services library used by ValidateCredentials uses a variant of LDAP called AD LDS and is proprietary.
the actual AD server supports LADP, AD LDS and keberos.
note: there are requests to covert the directory service library used by ValidateCredentials to LDAP so it will work cross platform.
> Is the authentication done using Kerberos or something else? Is there a way to find out?
Can the following Microsoft document help?
Two easy ways to pick Kerberos from NTLM in an HTTP capture https://learn.microsoft.com/ja-jp/archive/blogs/tristank/two-easy-ways-to-pick-kerberos-from-ntlm-in-an-http-capture
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 70%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYD%3C/text%3E%3C/svg%3E)
Hi @Joe Green,
Active Directory authentication supports both Kerberos and NTLM. Windows will try to use Kerberos first, and if the requirements are not met, it will fall back to NTLM. To verify whether Active Directory is using Kerberos or NTLM, you can use the following methods.
Method 1:
Check the login event ID = 4624 in the security event log of the domain controller. where AuthenticationPackageName is NTLM or Kerberos. You need to verify that your domain controllers have auditing enabled and are capturing the required audit events.
Method 2:
Enable Kerberos logging on your client, if you don't know how to enable Kerberos event logging, please refer to this document. After enabling logging, log into stuff and view the event log. If you are using Kerberos, you will see this activity in the event log. If you are passing credentials and don't see any Kerberos activity in the event log, then you are using NTLM.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the email notification for this thread.
Best regards,
Yurong Dai
Method 1 is not possible that I do not have access to domain controller logs. I tried using Fiddler Classic but so far cannot definitely say that application is using Kerberos. As per the MS documentation https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement.contextoptions?view=dotnet-plat-ext-7.0, if one is using Sealing and Negotiate, then chances are kerberos is used. Is there as way to write code to find out if Kerberos is used? I want to make sure that these apps are not using LDAP but kerberos.
Bruce says that these apps are using windows active directory services api to validate user. What protocol these API's are using to validate user? Hopefully not LDAP.
it is the Active Directory variant of LDAP .
if you want kerberos authentication, then you would need to configure IIS to handle the authentication. setup windows authentication and only enable negotiate (remove ntlm as an option).
note: in IIS kerberos is windows authentication: negotiate