Re: Event log shows NTLM not Kerberos

From: v-kzhao@xxxxxxxxxxxxxxxxxxxx ("Ken Zhao [MSFT]")
Date: Tue, 05 Sep 2006 09:48:50 GMT

Hi Roger,

Thanks for your comments.

Thanks & Regards,

Ken Zhao

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
| References: <Ojzmap0xGHA.3632@xxxxxxxxxxxxxxxxxxxx>
<dNEZmr1xGHA.5460@xxxxxxxxxxxxxxxxxxxxx>
<#odUKg3xGHA.3464@xxxxxxxxxxxxxxxxxxxx>
<2td2yGDyGHA.5460@xxxxxxxxxxxxxxxxxxxxx>
<OOAZElwyGHA.3908@xxxxxxxxxxxxxxxxxxxx>
<euN5XfNzGHA.400@xxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Event log shows NTLM not Kerberos
| Date: Thu, 31 Aug 2006 20:08:47 -0700
| Lines: 299
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
| X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
| X-RFC2646: Format=Flowed; Original
| Message-ID: <u2ZavPXzGHA.476@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.security
| NNTP-Posting-Host: ppp_149_169_167_107.inre.asu.edu 149.169.167.107
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.security:89524
| X-Tomcat-NG: microsoft.public.security
|
| Hi Ken,
|
| How does one force the SSPI to log information on its
| decisions during the spnego negotiation, which in this poster's
| case is resulting in use of NTLM instead of Kerberos as one
| would expect if access is using a non-IP UNC ??
|
| Roger
|
| ""Ken Zhao [MSFT]"" <v-kzhao@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:euN5XfNzGHA.400@xxxxxxxxxxxxxxxxxxxxxxxx
| > Hello Alan,
| >
| > I found the following Authentication security log in your log file:
| >
| > 29/08/2006 8:59:59 AM Security Success Audit Logon/Logoff 540 PP\mark
HOME
| > "Successful Network Logon:
| > User Name: mark
| > Domain: PP
| > Logon ID: (0x0,0x143EC0F)
| > Logon Type: 3
| > Logon Process: NtLmSsp
| > Authentication Package: NTLM
| > Workstation Name: PPREP2"
| >
| > Based on your situation, I suggest you refer to the following article to
| > force Kerberos Authentication.
| >
| > 244474: How to force Kerberos to use TCP instead of UDP in Windows
Server
| > 2003, in Windows XP, and in Windows 2000
| > http://support.microsoft.com/default.aspx?scid=kb;EN-US;244474
| >
| > In addition, I would like introduce how Windows system works for
resource
| > access. When a client attempts to access a resource on the server, it
will
| > send out the authentication request to the server. When the server gets
| > the
| > request, it will perform the following two steps:
| >
| > 1. Authenticate if the user has permissions to logon on this server.
| > 2. Check if the logon user has the permissions to access the resource.
| >
| > For the first step, the server authenticates the user/password
information
| > contained in the request packets. If the user passes the authentication,
| > the server gets the user's SID and compares it with the SIDs in the ACL
on
| > the resource. If the SIDs match, the user is able to access the
resource;
| > otherwise, the user will fail to access the resource.
| >
| > What the Restrict Anonymous Policies Do
| > ===============
| > We have three security policies to restrict anonymous access in Windows
| > 2000/XP/2003:
| >
| > Network access: Do not allow anonymous enumeration of SAM accounts
| > Network access: Do not allow anonymous enumeration of SAM accounts and
| > shares
| > Network access: Let Everyone permissions apply to anonymous users
| >
| > After we enable these policies, ANONYMOUS LOGON account is restricted in
| > the second step of the resource access. In other words, ANONYMOUS LOGON
| > account is able to pass the authentication but it cannot access ANY
| > resource on the servers with the Restrict Anonymous policies.
| >
| > Analysis
| > ===============
| > Based on the above information, it is normal that we get the ANONYMOUS
| > LOGON auditing records in the security logs because the ANONYMOUS LOGON
| > account can pass the authentication. However, because we have configured
| > the restricted anonymous policies on the servers, the ANONYMOUS LOGON
| > cannot access any resource on the server. The only action for ANONYMOUS
| > LOGON is logon.
| >
| > Conclusion
| > ===============
| > According to the system design, we are not able to disable the ANONYMOUS
| > LOGON success audit records on the Windows system. If you would like to
| > restrict the anonymous access to the resource on the servers, just
enable
| > the Restricted Anonymous policies. Then the ANONYMOUS LOGON account
cannot
| > access any resource on the servers.
| >
| > Thanks & Regards,
| >
| > Ken Zhao
| >
| > Microsoft Online Partner Support
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > =====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| >
| >
| >
| > --------------------
| > | From: "Alan M" <me@xxxxxxxx>
| > | References: <Ojzmap0xGHA.3632@xxxxxxxxxxxxxxxxxxxx>
| > <dNEZmr1xGHA.5460@xxxxxxxxxxxxxxxxxxxxx>
| > <#odUKg3xGHA.3464@xxxxxxxxxxxxxxxxxxxx>
| > <2td2yGDyGHA.5460@xxxxxxxxxxxxxxxxxxxxx>
| > | Subject: Re: Event log shows NTLM not Kerberos
| > | Date: Tue, 29 Aug 2006 09:24:55 +0800
| > | Lines: 167
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
| > | Message-ID: <OOAZElwyGHA.3908@xxxxxxxxxxxxxxxxxxxx>
| > | Newsgroups: microsoft.public.security
| > | NNTP-Posting-Host: home.premiumplastics.com.au 202.72.167.107
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.security:89427
| > | X-Tomcat-NG: microsoft.public.security
| > |
| > | Have done so
| > | Could you please look at attacks listed in log also.
| > | It would seem to me that I am being attacked but the attacks have not
| > been
| > | successful
| > |
| > | ""Ken Zhao [MSFT]"" <v-kzhao@xxxxxxxxxxxxxxxxxxxx> wrote in message
| > | news:2td2yGDyGHA.5460@xxxxxxxxxxxxxxxxxxxxxxxx
| > | > Hello Alan,
| > | >
| > | > Thank you for using newsgroup!
| > | >
| > | > From your post, please send me an event log file.
| > | > 1. Click Start and choose Run. Then input: eventvwr
| > | > 2. Right-click Application, select Save Log File As, name the txt
file
| > and
| > | > save it.
| > | > 3. Right-click Security, select Save Log File As, name the txt file
| > and
| > | > save it.
| > | > 4. Right-click System, select Save Log File As, name the txt file
and
| > save
| > | > it.
| > | > 5. Send it to me.
| > | > My mailbox: v-kzhao@xxxxxxxxxxxxx
| > | >
| > | > Thanks & Regards,
| > | >
| > | > Ken Zhao
| > | >
| > | > Microsoft Online Partner Support
| > | > Get Secure! - www.microsoft.com/security
| > | >
| > | > =====================================================
| > | > When responding to posts, please "Reply to Group" via your
newsreader
| > so
| > | > that others may learn and benefit from your issue.
| > | > =====================================================
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | > rights.
| > | >
| > | >
| > | >
| > | >
| > | >
| > | > --------------------
| > | > | From: "Slim" <me@xxxxxxxx>
| > | > | References: <Ojzmap0xGHA.3632@xxxxxxxxxxxxxxxxxxxx>
| > | > <dNEZmr1xGHA.5460@xxxxxxxxxxxxxxxxxxxxx>
| > | > | Subject: Re: Event log shows NTLM not Kerberos
| > | > | Date: Thu, 24 Aug 2006 20:19:31 +0800
| > | > | Lines: 99
| > | > | X-Priority: 3
| > | > | X-MSMail-Priority: Normal
| > | > | X-Newsreader: Microsoft Outlook Express 6.00.3790.2663
| > | > | X-RFC2646: Format=Flowed; Original
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
| > | > | Message-ID: <#odUKg3xGHA.3464@xxxxxxxxxxxxxxxxxxxx>
| > | > | Newsgroups: microsoft.public.security
| > | > | NNTP-Posting-Host: home.premiumplastics.com.au 202.72.167.107
| > | > | Path:
| > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| > | > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.security:89273
| > | > | X-Tomcat-NG: microsoft.public.security
| > | > |
| > | > | Me from home
| > | > |
| > | > | I get events saying
| > | > | __
| > | > | Successful Network Logon:
| > | > |
| > | > | User Name: sunil
| > | > |
| > | > | Domain: PP
| > | > |
| > | > | Logon ID: (0x0,0x89CBC)
| > | > |
| > | > | Logon Type: 3
| > | > |
| > | > | Logon Process: NtLmSsp
| > | > |
| > | > | Authentication Package: NTLM
| > | > |
| > | > | Workstation Name: PPSUNIL
| > | > |
| > | > | __
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | > | ""Ken Zhao [MSFT]"" <v-kzhao@xxxxxxxxxxxxxxxxxxxx> wrote in
message
| > | > | news:dNEZmr1xGHA.5460@xxxxxxxxxxxxxxxxxxxxxxxx
| > | > | > Hello Alan,
| > | > | >
| > | > | > Thank you for using newsgroup!
| > | > | >
| > | > | > From your post, how do you know the users are logging in with
| > | > | > Authentication Package NTLM not Kerberos? Could you let me know
| > the
| > | > | > related
| > | > | > event log description?
| > | > | >
| > | > | > By default, Windows operating system will adopt Kerberos as the
| > | > default
| > | > | > protocol for network authentication.
| > | > | >
| > | > | > Windows 2000 Kerberos Authentication
| > | > | >
| > | >
| >
<http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat
| > | > | > /kerberos.mspx>
| > | > | >
| > | > | > Thanks & Regards,
| > | > | >
| > | > | > Ken Zhao
| > | > | >
| > | > | > Microsoft Online Partner Support
| > | > | > Get Secure! - www.microsoft.com/security
| > | > | >
| > | > | > =====================================================
| > | > | > When responding to posts, please "Reply to Group" via your
| > newsreader
| > | > so
| > | > | > that others may learn and benefit from your issue.
| > | > | > =====================================================
| > | > | > This posting is provided "AS IS" with no warranties, and
confers
| > no
| > | > | > rights.
| > | > | >
| > | > | >
| > | > | >
| > | > | >
| > | > | >
| > | > | > --------------------
| > | > | > | From: "Alan M" <me@xxxxxxxx>
| > | > | > | Subject: Event log shows NTLM not Kerberos
| > | > | > | Date: Thu, 24 Aug 2006 15:00:36 +0800
| > | > | > | Lines: 7
| > | > | > | X-Priority: 3
| > | > | > | X-MSMail-Priority: Normal
| > | > | > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
| > | > | > | X-RFC2646: Format=Flowed; Original
| > | > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
| > | > | > | Message-ID: <Ojzmap0xGHA.3632@xxxxxxxxxxxxxxxxxxxx>
| > | > | > | Newsgroups: microsoft.public.security
| > | > | > | NNTP-Posting-Host: home.premiumplastics.com.au 202.72.167.107
| > | > | > | Path:
| > | > TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| > | > | > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.security:89266
| > | > | > | X-Tomcat-NG: microsoft.public.security
| > | > | > |
| > | > | > | I have a SBS 2000 server with a win 2003 backup DC, all
| > | > workstatsions
| > | > | > are
| > | > | > | XPSP2., yet I find that users are logging in with
Authentication
| > | > | > Package:
| > | > | > | NTLM. Shouldn't they be using Kerberos?
| > | > | > |
| > | > | > | If so what could be making them fall back to NTLM
| > | > | > |
| > | > | > |
| > | > | > |
| > | > | >
| > | > |
| > | > |
| > | > |
| > | >
| > |
| > |
| > |
| >
|
|
|

.

References:
- Re: Event log shows NTLM not Kerberos
  - From: Roger Abell [MVP]

Prev by Date: Re: I was just wondering
Next by Date: Re: I was just wondering
Previous by thread: Re: Event log shows NTLM not Kerberos
Next by thread: Re: Want a good basic book on computers/computer security
Index(es):
- Date
- Thread

Relevant Pages

Re: Kerberos machine authentication - apparent authentication fail
... > until logon), the wireless connection can kick off when it is ready. ... > was confirmed in the server event logs with IAS (i set that up as the radius ... > as an ordinary user kicks in and takes over from the machine authentication. ... > while the network sorts itself out and a double click on a network link of ...
(microsoft.public.windows.server.security)
Re: Remote Web Workplace Issues-Please help!
... Open the Server Management Console, ... client after Authentication" right. ... permissions, and Microsoft Windows user rights according to the KB 812614. ... Download the IIS Resource Kit tools from the following page: ...
(microsoft.public.windows.server.sbs)
RE: Windows authentication from ASP.NET to SQL Server
... The easiest way is to turn off anonymous access for the Intranet site. ... will force authentication, usually through a login box (although the network ... > intranet server and our database server, both of which are on our local ... > Successful Network Logon: ...
(microsoft.public.dotnet.framework.aspnet)
Kerberos authentication
... TCP 1600 and 1601 are the ports we have limited RPC traffic to according to ... The following traffic is allowed to the File Server ... The failure code from authentication protocol Kerberos ... was "There are currently no logon servers available to service the logon ...
(microsoft.public.windows.server.active_directory)
Re: Event log shows NTLM not Kerberos
... I found the following Authentication security log in your log file: ... "Successful Network Logon: ... How to force Kerberos to use TCP instead of UDP in Windows Server ... I would like introduce how Windows system works for resource ...
(microsoft.public.security)