How can I check if my IIS site is using NTLM or Kerberos?

Solution 1:


Determine if HTTP authentication is NTLM or Kerberos

[...] "Since we are looking over this trace to see if the client is sending authentication information, we can use the TCP segments to track the HTTP GET requests and the response from the server. Here is a snippet from the frame that sends authentication information from the client:

23 4294967263.4294641621 LOCAL 00045A420DBC HTTP GET Request (from client using port 3135) IP HTTP: GET Request (from client using port 3135) HTTP: Request Method = GET HTTP: Uniform Resource Identifier = /webapplication1/webform1.aspx HTTP: Protocol Version = HTTP/1.1 HTTP: Accept = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd. HTTP: Accept-Language = en-us HTTP: Accept-Encoding = gzip, deflate HTTP: User-Agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR HTTP: Host = alien HTTP: Connection = Keep-Alive HTTP: Authorization = Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAA 44 77 3D 3D 0D 0A 0D 0A AAADw==....

"What does this tell us? We can see that the Authorization header is set to "Negotiate" and we can see a long string of characters sent in that header. This response tells us that the client and the server are negotiating an NTLM connection. We know that NTLM authentication is being used here because the first character is a '"T." If it was a "Y," it would be Kerberos. The header is set to "Negotiate" instead of "NTLM." This does not mean it will use Kerberos or NTLM, but that it will "Negotiate" the authorization method and try Kerberos first if it is able. If it cannot use Kerberos, it will use NTLM."

// if it is Negotiate...
if (String.Compare(Request.ServerVariables["HTTP_AUTHORIZATION"].Substring(10, 1), "Y", true) == 0)
    // we are using Kerberos
   // we are using NTLM

Solution 2:

If you have access to your IIS server then the answer is much simpler than inspecting HTTP traffic: Simply view the site Authentication module config for Windows Authentication.

  1. In IIS Manager
  2. Select your site
  3. Click on the Authentication module
  4. Select Windows Authentication
  5. Select Providers...

IIS Manager > Site > Authentication module > Providers