When troubleshooting authentication issues in Windows environments, identifying whether Active Directory is using Kerberos or NTLM is crucial. Here are several methods to determine the authentication protocol being used:
The most reliable way to check authentication protocols is through Windows Event Viewer:
1. Open Event Viewer (eventvwr.msc)
2. Navigate to: Applications and Services Logs > Microsoft > Windows > Authentication
3. Look for Event ID 4776 (NTLM) or 4768 (Kerberos)
4. Filter logs to show only security-related events
For script-based checking, these PowerShell commands are effective:
# Check Kerberos policy settings
Get-ADDefaultDomainPasswordPolicy | Select-Object *Kerberos*
# Check NTLM settings via registry
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0"
# Check NTLM restrictions (Windows Server 2016+)
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\"
Use Wireshark or Microsoft Message Analyzer to capture authentication traffic. Kerberos uses port 88 (TCP/UDP), while NTLM operates over port 445.
# Example Wireshark filter for Kerberos:
kerberos
# For NTLM:
smb2.cmd == 1 || smb2.cmd == 11
Check these GPO settings that affect protocol selection:
# Export relevant GPO settings
gpresult /h gpreport.html
# Key policies to examine:
- Network security: Restrict NTLM
- Network security: LAN Manager authentication level
- Domain member: Digitally encrypt secure channel data
Here's a PowerShell script that checks authentication events:
# Get last 50 authentication events
$events = Get-WinEvent -LogName Security -MaxEvents 50 |
Where-Object {$_.Id -in (4768,4776)}
foreach ($event in $events) {
if ($event.Id -eq 4768) {
Write-Host "Kerberos authentication detected for $($event.Properties[0].Value)"
}
elseif ($event.Id -eq 4776) {
Write-Host "NTLM authentication detected for $($event.Properties[0].Value)"
}
}
- Always prefer Kerberos for domain-joined systems
- Monitor NTLM usage with Microsoft's NTLM auditing tools
- Implement NTLM restrictions gradually after testing
- Use Service Principal Names (SPNs) properly to ensure Kerberos works
Active Directory supports multiple authentication protocols, with Kerberos being the default and NTLM maintained for legacy compatibility. Identifying which protocol is being used is crucial for security hardening and troubleshooting.
The most reliable method is checking Windows Security event logs:
# PowerShell command to check security logs
Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4624]]" |
Where-Object { $_.Properties[8].Value -eq "NTLM" -or $_.Properties[8].Value -eq "Kerberos" } |
Select-Object TimeCreated, @{Name='AuthType';Expression={$_.Properties[8].Value}}
The klist utility shows Kerberos tickets:
klist tickets
For NTLM-specific detection:
# Check NTLM audit settings
auditpol /get /subcategory:"Logon" /r | find "NTLM"
Use Wireshark or Microsoft Message Analyzer to capture authentication traffic. Look for:
- Kerberos: AS-REQ, TGS-REQ packets on port 88
- NTLM: NEGOTIATE, CHALLENGE, AUTHENTICATE messages
Verify security policy settings:
# Check NTLM restrictions
gpresult /h gpreport.html
# Then search for "Network security: Restrict NTLM" policies
This PowerShell script identifies protocol usage for current sessions:
function Get-AuthProtocol {
$sessions = query session
$sessions | ForEach-Object {
if ($_ -match "^(>)?\s*(\w+)\s+") {
$id = $matches[2]
$logonId = (qwinsta $id | Select-String "0x").Matches.Value
$event = Get-WinEvent -FilterHashtable @{
LogName='Security'
ID=4624
} | Where-Object { $_.Properties[8].Value -eq $logonId } |
Select-Object -First 1
[PSCustomObject]@{
SessionID = $id
UserName = $event.Properties[5].Value
AuthType = $event.Properties[8].Value
SourceIP = $event.Properties[18].Value
}
}
}
}
Get-AuthProtocol
Check NTLM compatibility settings:
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 /v RestrictReceivingNTLMTraffic