If so what could be making them fall back to NTLM
Thank you for using newsgroup!
From your post, how do you know the users are logging in with
Authentication Package NTLM not Kerberos? Could you let me know the related
event log description?
By default, Windows operating system will adopt Kerberos as the default
protocol for network authentication.
Windows 2000 Kerberos Authentication
<http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat
/kerberos.mspx>
Thanks & Regards,
Ken Zhao
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Alan M" <m...@work.com>
| Subject: Event log shows NTLM not Kerberos
| Date: Thu, 24 Aug 2006 15:00:36 +0800
| Lines: 7
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
| Message-ID: <Ojzmap0x...@TK2MSFTNGP03.phx.gbl>
| Newsgroups: microsoft.public.security
| NNTP-Posting-Host: home.premiumplastics.com.au 202.72.167.107
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.security:89266
| X-Tomcat-NG: microsoft.public.security
I get events saying
__
Successful Network Logon:
User Name: sunil
Domain: PP
Logon ID: (0x0,0x89CBC)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: PPSUNIL
__
""Ken Zhao [MSFT]"" <v-k...@online.microsoft.com> wrote in message
news:dNEZmr1x...@TK2MSFTNGXA01.phx.gbl...
Successful Network Logon:
User Name: sunil
Domain: PP
Logon ID: (0x0,0x843C1)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
""Ken Zhao [MSFT]"" <v-k...@online.microsoft.com> wrote in message
news:dNEZmr1x...@TK2MSFTNGXA01.phx.gbl...
"Slim" <m...@here.com> wrote in message
news:%23odUKg3...@TK2MSFTNGP03.phx.gbl...
I don't know, I assume its a login from a user lodging onto a computer, I
thought that when accessing a shared folder it would just check the users
SID, will when im at work tomorrow
Yes, accessing a share does check the SIDs of the user and their
groups in order to authorize or refuse the access. But to do that
it needs those SIDs, which is what authentication (i.e. log on) gives.
"Slim" <m...@here.com> wrote in message
news:ezP5eT4x...@TK2MSFTNGP02.phx.gbl...
Steve
"Alan M" <m...@work.com> wrote in message
news:Ojzmap0x...@TK2MSFTNGP03.phx.gbl...
Thank you for using newsgroup!
From your post, please send me an event log file.
1. Click Start and choose Run. Then input: eventvwr
2. Right-click Application, select Save Log File As, name the txt file and
save it.
3. Right-click Security, select Save Log File As, name the txt file and
save it.
4. Right-click System, select Save Log File As, name the txt file and save
it.
5. Send it to me.
My mailbox: v-k...@microsoft.com
Thanks & Regards,
Ken Zhao
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Slim" <m...@here.com>
| References: <Ojzmap0x...@TK2MSFTNGP03.phx.gbl>
<dNEZmr1x...@TK2MSFTNGXA01.phx.gbl>
| Subject: Re: Event log shows NTLM not Kerberos
| Date: Thu, 24 Aug 2006 20:19:31 +0800
| Lines: 99
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.2663
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
| Message-ID: <#odUKg3x...@TK2MSFTNGP03.phx.gbl>
| Newsgroups: microsoft.public.security
| NNTP-Posting-Host: home.premiumplastics.com.au 202.72.167.107
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.security:89273
| X-Tomcat-NG: microsoft.public.security
""Ken Zhao [MSFT]"" <v-k...@online.microsoft.com> wrote in message
news:2td2yGDy...@TK2MSFTNGXA01.phx.gbl...
I found the following Authentication security log in your log file:
29/08/2006 8:59:59 AM Security Success Audit Logon/Logoff 540 PP\mark HOME
"Successful Network Logon:
User Name: mark
Domain: PP
Logon ID: (0x0,0x143EC0F)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: PPREP2"
Based on your situation, I suggest you refer to the following article to
force Kerberos Authentication.
244474: How to force Kerberos to use TCP instead of UDP in Windows Server
2003, in Windows XP, and in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;244474
In addition, I would like introduce how Windows system works for resource
access. When a client attempts to access a resource on the server, it will
send out the authentication request to the server. When the server gets the
request, it will perform the following two steps:
1. Authenticate if the user has permissions to logon on this server.
2. Check if the logon user has the permissions to access the resource.
For the first step, the server authenticates the user/password information
contained in the request packets. If the user passes the authentication,
the server gets the user's SID and compares it with the SIDs in the ACL on
the resource. If the SIDs match, the user is able to access the resource;
otherwise, the user will fail to access the resource.
What the Restrict Anonymous Policies Do
===============
We have three security policies to restrict anonymous access in Windows
2000/XP/2003:
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and
shares
Network access: Let Everyone permissions apply to anonymous users
After we enable these policies, ANONYMOUS LOGON account is restricted in
the second step of the resource access. In other words, ANONYMOUS LOGON
account is able to pass the authentication but it cannot access ANY
resource on the servers with the Restrict Anonymous policies.
Analysis
===============
Based on the above information, it is normal that we get the ANONYMOUS
LOGON auditing records in the security logs because the ANONYMOUS LOGON
account can pass the authentication. However, because we have configured
the restricted anonymous policies on the servers, the ANONYMOUS LOGON
cannot access any resource on the server. The only action for ANONYMOUS
LOGON is logon.
Conclusion
===============
According to the system design, we are not able to disable the ANONYMOUS
LOGON success audit records on the Windows system. If you would like to
restrict the anonymous access to the resource on the servers, just enable
the Restricted Anonymous policies. Then the ANONYMOUS LOGON account cannot
access any resource on the servers.
Thanks & Regards,
Ken Zhao
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Alan M" <m...@work.com>
| References: <Ojzmap0x...@TK2MSFTNGP03.phx.gbl>
<dNEZmr1x...@TK2MSFTNGXA01.phx.gbl>
<#odUKg3x...@TK2MSFTNGP03.phx.gbl>
<2td2yGDy...@TK2MSFTNGXA01.phx.gbl>
| Subject: Re: Event log shows NTLM not Kerberos
| Date: Tue, 29 Aug 2006 09:24:55 +0800
| Lines: 167
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
| Message-ID: <OOAZElwy...@TK2MSFTNGP05.phx.gbl>
| Newsgroups: microsoft.public.security
| NNTP-Posting-Host: home.premiumplastics.com.au 202.72.167.107
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.security:89427
| X-Tomcat-NG: microsoft.public.security
How does one force the SSPI to log information on its
decisions during the spnego negotiation, which in this poster's
case is resulting in use of NTLM instead of Kerberos as one
would expect if access is using a non-IP UNC ??
Roger
""Ken Zhao [MSFT]"" <v-k...@online.microsoft.com> wrote in message
news:euN5XfN...@TK2MSFTNGXA01.phx.gbl...
Thanks for your comments.
Thanks & Regards,
Ken Zhao
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Roger Abell [MVP]" <mvpN...@asu.edu>
| References: <Ojzmap0x...@TK2MSFTNGP03.phx.gbl>
<dNEZmr1x...@TK2MSFTNGXA01.phx.gbl>
<#odUKg3x...@TK2MSFTNGP03.phx.gbl>
<2td2yGDy...@TK2MSFTNGXA01.phx.gbl>
<OOAZElwy...@TK2MSFTNGP05.phx.gbl>
<euN5XfN...@TK2MSFTNGXA01.phx.gbl>
| Subject: Re: Event log shows NTLM not Kerberos
| Date: Thu, 31 Aug 2006 20:08:47 -0700
| Lines: 299
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
| X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
| X-RFC2646: Format=Flowed; Original
| Message-ID: <u2ZavPX...@TK2MSFTNGP06.phx.gbl>
| Newsgroups: microsoft.public.security
| NNTP-Posting-Host: ppp_149_169_167_107.inre.asu.edu 149.169.167.107
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.security:89524
| X-Tomcat-NG: microsoft.public.security