it does not use kerberos. it is a call to to windows active directory services api to validate a user.
note: for non windows clients, you would use a LDAP client library
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
I've two asp.net MVC applications that uses custom authentication meaning user is authenticated against Active Directory using a web form. Web form has fields like domain, windows username and password. ApplicationCookie is used for authorization. on IIS, for both the applications, windows authentication is disabled.
In one application, the following is used
isAuthenticated = oPrincipalContext.ValidateCredentials(username, password, ContextOptions.Negotiate);
and in another
isAuthenticated = oPrincipalContext.ValidateCredentials(username, password, ContextOptions.Negotiate | ContextOptions.Sealing);
Is the authentication done using Kerberos or something else? Is there a way to find out?
Thanks
it does not use kerberos. it is a call to to windows active directory services api to validate a user.
note: for non windows clients, you would use a LDAP client library
> Is the authentication done using Kerberos or something else? Is there a way to find out?
Can the following Microsoft document help?
Two easy ways to pick Kerberos from NTLM in an HTTP capture https://learn.microsoft.com/ja-jp/archive/blogs/tristank/two-easy-ways-to-pick-kerberos-from-ntlm-in-an-http-capture
Hi @Joe Green,
Active Directory authentication supports both Kerberos and NTLM. Windows will try to use Kerberos first, and if the requirements are not met, it will fall back to NTLM. To verify whether Active Directory is using Kerberos or NTLM, you can use the following methods.
Method 1:
Check the login event ID = 4624 in the security event log of the domain controller. where AuthenticationPackageName
is NTLM
or Kerberos
. You need to verify that your domain controllers have auditing enabled and are capturing the required audit events.
Method 2:
Enable Kerberos logging on your client, if you don't know how to enable Kerberos event logging, please refer to this document. After enabling logging, log into stuff and view the event log. If you are using Kerberos, you will see this activity in the event log. If you are passing credentials and don't see any Kerberos activity in the event log, then you are using NTLM.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the email notification for this thread.
Best regards,
Yurong Dai
Method 1 is not possible that I do not have access to domain controller logs. I tried using Fiddler Classic but so far cannot definitely say that application is using Kerberos. As per the MS documentation https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement.contextoptions?view=dotnet-plat-ext-7.0, if one is using Sealing and Negotiate, then chances are kerberos is used. Is there as way to write code to find out if Kerberos is used? I want to make sure that these apps are not using LDAP but kerberos.
Bruce says that these apps are using windows active directory services api to validate user. What protocol these API's are using to validate user? Hopefully not LDAP.