To check whether your IIS 7.5 site is using NTLM or Kerberos authentication, follow these steps:
1. Open IIS Manager (inetmgr)
2. Navigate to your site in the left pane
3. Double-click "Authentication" in Features View
4. Right-click "Windows Authentication" → "Providers"
5. The order of providers indicates preference (first is tried first)
Alternatively, use PowerShell to check authentication settings:
Import-Module WebAdministration
Get-WebConfigurationProperty -Filter "/system.webServer/security/authentication/windowsAuthentication"
-Name providers -PSPath "IIS:\" -Location "Default Web Site"
For definitive confirmation, capture network traffic during authentication:
netsh trace start scenario=NetConnection capture=yes tracefile=C:\temp\iisauth.etl
# Reproduce authentication
netsh trace stop
Analyze the trace with Microsoft Message Analyzer or Wireshark. Kerberos tickets contain:
- SPN (Service Principal Name) information
- KRB_AP_REQ messages
To force NTLM authentication in IIS 7.5:
1. In IIS Manager, go to Windows Authentication Providers
2. Remove "Negotiate" (which enables Kerberos)
3. Ensure only "NTLM" remains
4. Apply changes
For programmatic configuration via PowerShell:
Set-WebConfigurationProperty -Filter "/system.webServer/security/authentication/windowsAuthentication"
-Name providers -PSPath "IIS:\" -Location "Default Web Site"
-Value @("NTLM")
When switching authentication protocols:
- Update SPN records if reverting to NTLM:
setspn -D HTTP/server.domain.com DOMAIN\serviceaccount - Check application pool identity settings
- Validate
UseAppPoolCredentialssetting in applicationHost.config
For Kerberos-specific problems:
klist purge # Clear ticket cache on client
klist tickets # Verify ticket acquisition
For NTLM fallback scenarios, check Windows Event Logs for:
- Event ID 4 in System log (Kerberos errors)
- Security log events with ID 4624 (logon type 3)
To determine whether your IIS site is using NTLM or Kerberos authentication, you can use these methods:
Method 1: Using Fiddler or Network Monitor
Capture the traffic between client and server during authentication:
1. Install Fiddler (or Wireshark) 2. Start capturing traffic 3. Access your IIS site 4. Look for WWW-Authenticate headers in the response: - NTLM: "WWW-Authenticate: NTLM" - Kerberos: "WWW-Authenticate: Negotiate"
Method 2: Checking IIS Configuration
Examine the applicationHost.config file (located at %windir%\system32\inetsrv\config):
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true">
<providers>
<add value="Negotiate" /> <!-- Kerberos preferred -->
<add value="NTLM" /> <!-- NTLM fallback -->
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
To force NTLM authentication instead of Kerberos:
Option 1: Using IIS Manager GUI
1. Open IIS Manager 2. Navigate to your site 3. Open "Authentication" feature 4. Right-click "Windows Authentication" → "Providers" 5. Remove "Negotiate" or move "NTLM" above "Negotiate" 6. Click "OK" and restart IIS
Option 2: Direct Configuration Edit
Modify the applicationHost.config file directly:
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true">
<providers>
<clear />
<add value="NTLM" />
</providers>
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
After making changes, verify with this PowerShell command:
Get-WebConfigurationProperty -Filter "/system.webServer/security/authentication/windowsAuthentication/providers" -Name "." -PSPath "IIS:\Sites\YourSiteName"
If Kerberos keeps being used despite your changes:
1. Check SPN registration: setspn -L <serviceaccount> 2. Verify client configuration: klist tickets 3. Examine Event Viewer for Kerberos errors 4. Consider setting registry key to disable Kerberos: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\NtlmMinClientSec = 0x20080000
Remember that NTLM requires more round-trips than Kerberos:
NTLM: 3 handshakes (Type 1/2/3 messages) Kerberos: 1 ticket request + 1 service request