X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: by onstor-exch02.onstor.net 
	id <01C88317.4A7D5CB7@onstor-exch02.onstor.net>; Mon, 10 Mar 2008 18:29:03 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-class: urn:content-classes:message
Subject: RE: Is there an easy way to tell what authentication a domain is using?
Date: Mon, 10 Mar 2008 18:29:02 -0700
Message-ID: <BB375AF679D4A34E9CA8DFA650E2B04E08D29B14@onstor-exch02.onstor.net>
In-Reply-To: <BB375AF679D4A34E9CA8DFA650E2B04E05C74448@onstor-exch02.onstor.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: Is there an easy way to tell what authentication a domain is using?
Thread-Index: AciDEpYK7crEDjuwRVmfF3Tg9iXQIAAAJe5QAABFmEAAAGpYkA==
References: <04ec01c88313$9ca7f790$644f7e0a@cssltbmortensen> <BB375AF679D4A34E9CA8DFA650E2B04E05C74448@onstor-exch02.onstor.net>
From: "Ron Bhanukitsiri" <ronb@onstor.com>
To: "Sandrine Boulanger" <sandrine.boulanger@onstor.com>,
	"Bob Mortensen (Glasshouse)" <bob.mortensen@onstor.com>,
	"Michael Tracy (Glasshouse)" <mtracy@css.glasshouse.com>
Cc: "Ron Bhanukitsiri" <ronb@onstor.com>,
	"dl-cstech" <dl-cstech@onstor.com>

Windows 2000 uses NTLMv2 and as NTLMv1.

Regarding the quotation below, that's good info for Windows.
But like all things kerberos, it goes deeper than that :-).

Indeed, a kerberos capable client (Win2K, XP, Vista) tries get a
service ticket from DC.    However if the vserver is joined in NTLM
mode (i.e. domain without -k),  the client will *not* be able to get
a service ticket because the service principal name for the vserver
would not be present in AD.  The client then must fall back to use
NTLM.   This is why the client can still talk to NT server joined
to AD domain (good heavens ;-).

If the vserver is joined to a kerberos domain (i.e. domain with
-k option), then the kerberos service principal name for the vserver
exists and the service ticket for the vserver will be given by the DC
and the client should use kerberos authentication.

Also you can find out what authentication type the client is using
to talk to our vserver by enable DEBUG elog and look for the
log shown in the Wiki page.
http://wiki.onstor.net/wiki/Troubleshooting_CIFS_Kerberos

Ron B[ee]

-----Original Message-----
From: Sandrine Boulanger=20
Sent: Monday, March 10, 2008 6:09 PM
To: Bob Mortensen (Glasshouse); Michael Tracy (Glasshouse); Ron
Bhanukitsiri
Subject: RE: Is there an easy way to tell what authentication a domain
is using?

I also think that Windows 2000 is using NTLMv1 and Windows 2003 and
above uses NTLMv2 (Ron, correct me if I'm wrong).

-----Original Message-----
From: Bob Mortensen (Glasshouse)=20
Sent: Monday, March 10, 2008 6:03 PM
To: Michael Tracy (Glasshouse); dl-cstech
Subject: RE: Is there an easy way to tell what authentication a domain
is using?

MT:

Not sure if this helps, but here's something I found on the web.=20
This was in the context of authentication errors:

--------------------------------------------------------------------
Windows 2000 and 2003 domain controllers support Kerberos and NTLM
authentication protocols. When a Windows 2000 or later computer needs to
find out if a domain account is authentic the computer first tries to
contact the DC via Kerberos. If it doesn't receive a reply it falls back
to
NTLM. In an AD forest comprising computers running Windows 2000 and
later
all authentication between workstations and servers should be Kerberos.
Windows 2000 and later domain controllers log different event IDs for
Kerberos and NTLM authentication activity so it's easy to distinguish
them.
In an AD forest of Windows 2000 or later computers, any NTLM
authentication
events you see on domain controllers can only have a few explanations.
First, Windows will fall back to NTLM if routers for some reason block
Kerberos traffic (UDP port 88). Second, if your domain trusts another
domain
outside your forest (defined in Active Directory Domains and Trusts)
you'll
see NTLM events on you domain controllers since Kerberos doesn't work
for
external trust relationships. (Note: Windows Server 2003 supports a new
type
of trust call cross forest trusts. A cross forest trust is a transitive,
2-way trust between 2 Windows Server 2003 domains. Cross forest trusts
use
Kerberos - not NTLM.) The third explanation for NTLM events on your
domain
controller's security log are rogue computers. Contrary to popular
misconception, Windows does not prevent a user at a computer from an
un-trusted domain or stand-alone computer (Windows computer that doesn't
belong to any domain) from connecting to a server in your domain using a
domain account.  To prove this just map a drive to a computer in an
untrusting domain using the "net use" command. For instance in the below
example I connect to a file server called NYC-FS-1 in the NYC domain
using
the domain Administrator account and a password of #dk32HE4. =20

net use \\nyc-fs-1.nyc.acme.local\c$ #dk32HE4 /user:nyc\administrator

If you have an application such as an IIS web application that uses NTLM
authentication you will see NTKM also. About the only other explanation
for
NTLM events on your domain controller security logs is more mundane -
you
just have some pre Win2k computers somewhere in your local domain or in
the
overall forest.
--------------------------------------------------------------------
=20


Best regards,
Bob Mortensen

-----Original Message-----
From: Michael Tracy [mailto:mtracy@css.glasshouse.com]=20
Sent: Monday, March 10, 2008 5:45 PM
To: DL-CStech
Subject: Is there an easy way to tell what authentication a domain is
using?

Hi all

Is there a way to tell if a site is sing ntlm, kerberos or ntlmv2 from
an=20
SGA?
Have had a few sites where the caller didn't know.  Makes for more fun=20
troubleshooting domain issues

Michael=20



