RE: Kerberos Configured, but occasionally users login using NTLM

Hi WenJun,

Thanks very much for getting back to me.

The clients are set to integrated authentication.

As mentioned in the original post, it seems to be happening for all users -
looking in the security event log, USERA will have a number of logins that
use Kerberos, and then all of a sudden they will have a login that uses NTLM.
The logon request will be from the same machine, with the client set to
integrated authentication, but occasionally there is still an NTLM logon

They are all internal machines to our domain, and I have checked the setting
on several machines on which this has occurred.

My understanding of the "Negotiate, NTLM" setting for the
NTAuthenticationProviders in the metabase is that Kerberos will be used, but
if there is a problem, it will fall back on NTLM. Is this correct? Is there a
way of saying Kerberos requests only?

If you have any other ideas, I would love to hear them.

Thanks in advance for your assistance!

""WenJun Zhang[msft]"" wrote:


By default, IIS always supports both Kerberos and NTLM protocols for
integrated windows authentication - the default value of
NTAuthenticationProviders property in metabase is "Negotiate,NTLM". However
choosing which protocol lies on the client side but not IIS. In IE Internet
Options->Advanced, if the option "Enable Integrated Windows Authentication"
is selected, IE will use Kerberos for integrated auth. Otherwise NTLM will
be used. The option is actually a switch between the protocols instead of
turning integrated auth on or off.

I assume the problem you meet is that so clients IE don't enable this
option(default setting is enabled). So they are using NTLM to access the
web site and meet problem due to NTLM protocol doesn't support delegation.
If they are all internal client machines in your domain, you may check
these clients to ensure the option is enabled.

More information can be found at:

215383 How to configure IIS to support both the Kerberos protocol and the
NTLM protocol for network authentication;EN-US;215383

Please update if you have any further question on this.

Have a nice day.


WenJun Zhang

Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:

Get notification to my posts through email? Please refer to

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
This posting is provided "AS IS" with no warranties, and confers no rights.


Relevant Pages

  • RE: Dynamic LINQ ITable
    ... Microsoft MSDN Online Support Lead ... where an initial response from the community or a Microsoft Support ... Subject: Dynamic LINQ ITable ... We enable our clients to create custom fields they wish to ...
  • Re: Cannot resolve KDC error 11
    ... > Services (IIS) is not enabled for both Kerberos and NTLM authentication. ... > Regarding how to configure IIS to support both Kerberos and NTLM ...
  • RE: OWA spell check problem
    ... Does this problem only occur on Windows XP clients? ... 825430 Overview of the spelling checker in Outlook Web Access for Exchange ... Click Settings next to Anonymous Access & Authentication Settings ... Microsoft Online Partner Support ...
  • Re: Change the RID Pool on a DC
    ... sure we ship each server with unique SID... ... Our problematic occurs when one of our clients backups ... The datas are secured through their security descriptor, ... >fully responsible for all issues of support? ...
  • challenge, response, ssh, and a proposal
    ... cryptocard, one first gets the challenge, then enters the response as ... ports with non-standard clients. ... The session password effectively becomes your system ... This solves the problem of "no support in the client", ...