When does a system use Kerberos authentication instead of NT LAN Manager (NTLM) authentication?

A. Only Windows 2000 and later systems support Kerberos, therefore to use Kerberos authentication, both the requesting source host and the authentication server must be running Win2K or later. Authentication from a Windows NT 4.0 workstation to a Windows 2003 domain controller (DC) would use NTLM; likewise, authentication from a Windows XP workstation to an NT 4.0 DC. The Windows 2003 Resource Kit (http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en) provides several tools, including klist (to list tickets) and kerbtray, which adds a taskbar item that shows the Kerberos ticket state, as the figure shows. If you have tickets for your domain, then you're using Kerberos.

You can also use the Win2K Network Connectivity Tester (netdiag.exe), which performs a Kerberos test. However, Netdiag has a bug that causes it to search for host/domain tickets instead of computer_name$ tickets. Even if it returns an error, as the example here shows, if klist or kerbtray show tickets, then you're using Kerberos.

Kerberos test. . . . . . . . . . . : Failed
\[FATAL\] Kerberos does not have a ticket for host/thanos.savilltech.com.
You can also use a network monitor to filter for Kerberos protocol traffic. For a normal logon, the network monitor will display a minimum of four Kerberos messages. (You'll see additional Kerberos traffic later, which are client/server access-related Kerberos actions.)

Here's a description of the initial four messages:

  1. KRB_AS_REQ (Kerberos Authentication Service Request). The client contacts the Key Distribution Center's (KDC, a DC) authentication service for a ticket-granting ticket (TGT).
  2. KRB_AS_REP (Kerberos Authentication Service Response). The authentication service on the KDC creates the TGT and a session key for the client to use to encrypt further communication. Remember, the TGT grants no access to resources, it just allows the client to request session tickets.
  3. KRB_TGS_REQ (Kerberos Ticket-granting Service Request). The client now sends the TGT back to the KDC to request a session ticket for local resource access.
  4. KRB_TGS_REP (Kerberos Ticket-granting Service Response). Assuming the information that the client sent was valid, the TGS creates a service ticket and sends it to the client.

You'll also see KRB_AP_REQ and KRB_AP_REP, which are messages between the client and resource server requesting to gain access to resources using the session ticket that the TGS provided.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.