Event log shows NTLM not Kerberos

Alan M

unread,

Aug 24, 2006, 3:00:36 AM8/24/06

to

I have a SBS 2000 server with a win 2003 backup DC, all workstatsions are
XPSP2., yet I find that users are logging in with Authentication Package:
NTLM. Shouldn't they be using Kerberos?

If so what could be making them fall back to NTLM

Ken Zhao [MSFT]

unread,

Aug 24, 2006, 4:54:04 AM8/24/06

to

Hello Alan,

Thank you for using newsgroup!

From your post, how do you know the users are logging in with
Authentication Package NTLM not Kerberos? Could you let me know the related
event log description?

By default, Windows operating system will adopt Kerberos as the default
protocol for network authentication.

Windows 2000 Kerberos Authentication
<http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat
/kerberos.mspx>

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Slim

unread,

Aug 24, 2006, 8:19:31 AM8/24/06

to

Me from home

I get events saying
__
Successful Network Logon:

User Name: sunil

Domain: PP

Logon ID: (0x0,0x89CBC)

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: PPSUNIL

__

""Ken Zhao [MSFT]"" <v-k...@online.microsoft.com> wrote in message
news:dNEZmr1x...@TK2MSFTNGXA01.phx.gbl...

Slim

unread,

Aug 24, 2006, 8:21:01 AM8/24/06

to

Yet at other times I get

Successful Network Logon:

User Name: sunil

Domain: PP

Logon ID: (0x0,0x843C1)

Logon Type: 3

Logon Process: Kerberos

Authentication Package: Kerberos

Workstation Name:

""Ken Zhao [MSFT]"" <v-k...@online.microsoft.com> wrote in message
news:dNEZmr1x...@TK2MSFTNGXA01.phx.gbl...

Roger Abell [MVP]

unread,

Aug 24, 2006, 9:23:42 AM8/24/06

to

OK, so this is for a network login.
But do you know in response to what the connection happened?
For example, using \\10.100.1.45/sharename (i.e. host named by IP)
will always use NTLM.
Are then just using \\servername\sharename or what ??

"Slim" <m...@here.com> wrote in message
news:%23odUKg3...@TK2MSFTNGP03.phx.gbl...

Slim

unread,

Aug 24, 2006, 9:51:26 AM8/24/06

to

"Roger Abell [MVP]" <mvpN...@asu.edu> wrote in message
news:uh9vDC4x...@TK2MSFTNGP04.phx.gbl...

> OK, so this is for a network login.
> But do you know in response to what the connection happened?
> For example, using \\10.100.1.45/sharename (i.e. host named by IP)
> will always use NTLM.
> Are then just using \\servername\sharename or what ??

I don't know, I assume its a login from a user lodging onto a computer, I
thought that when accessing a shared folder it would just check the users
SID, will when im at work tomorrow

Roger Abell [MVP]

unread,

Aug 24, 2006, 10:30:37 AM8/24/06

to

What you showed was login type 3, i.e. network login.

Yes, accessing a share does check the SIDs of the user and their
groups in order to authorize or refuse the access. But to do that
it needs those SIDs, which is what authentication (i.e. log on) gives.

"Slim" <m...@here.com> wrote in message

news:ezP5eT4x...@TK2MSFTNGP02.phx.gbl...

Steven L Umbach

unread,

Aug 24, 2006, 2:44:30 PM8/24/06

to

Where are you seeing these events - only for the domain controllers or on
domain computers?? If a user accesses a share on a domain member computer
authenticating to a local user account on that computer then kerberos will
not be used. If you are seeing events in the domain controller security log
from specific "domain" computers that are not using kerberos you can run the
support tool netdiag on that domain member computer to see if any problems
are found and it also will do a kerberos test. Domain computers all need to
be within 5 minutes of time synch with the domain controllers but that
should be done automatically but is also worth checking out. Another
possibility is that user are using non domain computers [laptops from home]
to access domain resources by supplying correct domain credentials.

Steve

"Alan M" <m...@work.com> wrote in message
news:Ojzmap0x...@TK2MSFTNGP03.phx.gbl...

Ken Zhao [MSFT]

unread,

Aug 25, 2006, 6:31:44 AM8/25/06

to

Hello Alan,

Thank you for using newsgroup!

From your post, please send me an event log file.
1. Click Start and choose Run. Then input: eventvwr
2. Right-click Application, select Save Log File As, name the txt file and
save it.
3. Right-click Security, select Save Log File As, name the txt file and
save it.
4. Right-click System, select Save Log File As, name the txt file and save
it.
5. Send it to me.
My mailbox: v-k...@microsoft.com

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

| Newsgroups: microsoft.public.security
| NNTP-Posting-Host: home.premiumplastics.com.au 202.72.167.107
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl

| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.security:89273
| X-Tomcat-NG: microsoft.public.security

Alan M

unread,

Aug 28, 2006, 9:24:55 PM8/28/06

to

Have done so
Could you please look at attacks listed in log also.
It would seem to me that I am being attacked but the attacks have not been
successful

""Ken Zhao [MSFT]"" <v-k...@online.microsoft.com> wrote in message

news:2td2yGDy...@TK2MSFTNGXA01.phx.gbl...

Ken Zhao [MSFT]

unread,

Aug 31, 2006, 4:31:12 AM8/31/06

to

Hello Alan,

I found the following Authentication security log in your log file:

29/08/2006 8:59:59 AM Security Success Audit Logon/Logoff 540 PP\mark HOME
"Successful Network Logon:
User Name: mark
Domain: PP
Logon ID: (0x0,0x143EC0F)

Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM

Workstation Name: PPREP2"

Based on your situation, I suggest you refer to the following article to
force Kerberos Authentication.

244474: How to force Kerberos to use TCP instead of UDP in Windows Server
2003, in Windows XP, and in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;244474

In addition, I would like introduce how Windows system works for resource
access. When a client attempts to access a resource on the server, it will
send out the authentication request to the server. When the server gets the
request, it will perform the following two steps:

1. Authenticate if the user has permissions to logon on this server.
2. Check if the logon user has the permissions to access the resource.

For the first step, the server authenticates the user/password information
contained in the request packets. If the user passes the authentication,
the server gets the user's SID and compares it with the SIDs in the ACL on
the resource. If the SIDs match, the user is able to access the resource;
otherwise, the user will fail to access the resource.

What the Restrict Anonymous Policies Do
===============
We have three security policies to restrict anonymous access in Windows
2000/XP/2003:

Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and
shares
Network access: Let Everyone permissions apply to anonymous users

After we enable these policies, ANONYMOUS LOGON account is restricted in
the second step of the resource access. In other words, ANONYMOUS LOGON
account is able to pass the authentication but it cannot access ANY
resource on the servers with the Restrict Anonymous policies.

Analysis
===============
Based on the above information, it is normal that we get the ANONYMOUS
LOGON auditing records in the security logs because the ANONYMOUS LOGON
account can pass the authentication. However, because we have configured
the restricted anonymous policies on the servers, the ANONYMOUS LOGON
cannot access any resource on the server. The only action for ANONYMOUS
LOGON is logon.

Conclusion
===============
According to the system design, we are not able to disable the ANONYMOUS
LOGON success audit records on the Windows system. If you would like to
restrict the anonymous access to the resource on the servers, just enable
the Restricted Anonymous policies. Then the ANONYMOUS LOGON account cannot
access any resource on the servers.

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Alan M" <m...@work.com>

| References: <Ojzmap0x...@TK2MSFTNGP03.phx.gbl>
<dNEZmr1x...@TK2MSFTNGXA01.phx.gbl>
<#odUKg3x...@TK2MSFTNGP03.phx.gbl>
<2td2yGDy...@TK2MSFTNGXA01.phx.gbl>

| Subject: Re: Event log shows NTLM not Kerberos

| Date: Tue, 29 Aug 2006 09:24:55 +0800
| Lines: 167

| Message-ID: <OOAZElwy...@TK2MSFTNGP05.phx.gbl>

| Newsgroups: microsoft.public.security
| NNTP-Posting-Host: home.premiumplastics.com.au 202.72.167.107

| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.security:89427
| X-Tomcat-NG: microsoft.public.security

Roger Abell [MVP]

unread,

Aug 31, 2006, 11:08:47 PM8/31/06

to

Hi Ken,

How does one force the SSPI to log information on its
decisions during the spnego negotiation, which in this poster's
case is resulting in use of NTLM instead of Kerberos as one
would expect if access is using a non-IP UNC ??

Roger

""Ken Zhao [MSFT]"" <v-k...@online.microsoft.com> wrote in message

news:euN5XfN...@TK2MSFTNGXA01.phx.gbl...

Ken Zhao [MSFT]

unread,

Sep 5, 2006, 5:48:50 AM9/5/06

to

Hi Roger,

Thanks for your comments.

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Roger Abell [MVP]" <mvpN...@asu.edu>

| References: <Ojzmap0x...@TK2MSFTNGP03.phx.gbl>
<dNEZmr1x...@TK2MSFTNGXA01.phx.gbl>
<#odUKg3x...@TK2MSFTNGP03.phx.gbl>
<2td2yGDy...@TK2MSFTNGXA01.phx.gbl>

<OOAZElwy...@TK2MSFTNGP05.phx.gbl>
<euN5XfN...@TK2MSFTNGXA01.phx.gbl>

| Subject: Re: Event log shows NTLM not Kerberos

| Date: Thu, 31 Aug 2006 20:08:47 -0700
| Lines: 299

| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2869

| X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
| X-RFC2646: Format=Flowed; Original
| Message-ID: <u2ZavPX...@TK2MSFTNGP06.phx.gbl>
| Newsgroups: microsoft.public.security
| NNTP-Posting-Host: ppp_149_169_167_107.inre.asu.edu 149.169.167.107
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.security:89524
| X-Tomcat-NG: microsoft.public.security