Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Windows Server TechCenter
Click to Rate and Give Feedback
TechNet
TechNet Library
Windows Server
Windows Server 2003
Operations
 Authentication Uses NTLM instead of...
Authentication Uses NTLM instead of Kerberos

Updated: March 2, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You might find that the Security log recorded an event in which logon occurred by using NTLM when it should have occurred by using Kerberos authentication.

Cause

The system attempts authentication by using the Kerberos protocol but it fails. As a result, the system attempts to authenticate by using NTLM. Windows Server 2003, Windows XP, and Windows 2000 use an algorithm called Negotiate (SPNEGO) to negotiate which authentication protocol is used. Although the Kerberos protocol is the default, if the default fails, Negotiate will try NTLM.

Solution

Investigate by examining errors or warnings in the event logs.

Cause

A call to Negotiate returns NTLM as the only protocol available. This situation is much more difficult to diagnose. There are two common causes of this situation — when Internet Explorer is being used and the Kerberos protocol is not being attempted:

  • Enable Integrated Windows Authentication (requires restart) setting is not selected in Internet Explorer 6.0.

  • Internet Explorer is accessing a site in the Internet zone instead of the intranet zone.

Solution

Internet Explorer 6.0 will, by default, not attempt to use the Kerberos protocol to authenticate to any site.

To enable Internet Explorer 6.0 to respond to a negotiate challenge and perform Kerberos authentication:

  1. In Internet Explorer, on the Tools menu click Internet Options.

  2. Click the Advanced tab, in the Security group select the Enable Integrated Windows Authentication (requires restart) check box, and then click OK.

  3. Restart Internet Explorer.

For more information, see Unable to Negotiate Kerberos Authentication After Upgrading to Internet Explorer 6 in the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=23045).

The second common cause is that Internet Explorer 6.0 is attempting to access a site located in the Internet zone. Internet zone sites are prevented from using Integrated Windows authentication because these protocols do not typically work through Web proxies, among other reasons. If a site is located in the Internet zone, Internet Explorer 6.0 does not attempt to use Kerberos authentication, and automatically tries NTLM. In all versions of Internet Explorer, when accessing a Web site to which you want to use Kerberos authentication, you must verify that the Web site appears as being in the local intranet zone. An icon in the lower right corner of the Internet Explorer window indicates what zone a Web site is in. It displays “Internet” for the Internet zone and “Local Intranet” for the intranet zone. If the Web site appears as being in the Internet zone, you must manually add the site to the local intranet sites list.

To add an Internet site to the local intranet sites list

  1. On the Tools menu, click Internet Options.

  2. Click the Security tab, then click Local Intranet, then click Sites, and then click Advanced.

  3. In the box under Add this Web site to the zone, type the name of the Web site that you want to authenticate with Kerberos authentication, and then click Add.

  4. Click Close, and then click OK.

After you perform this procedure, if you find that NTLM authentication is still being used, or that Kerberos is not even being attempted in a situation where Kerberos authentication should be used, contact Product Support Services for help in diagnosing the problem.

Tags What's this?: ie (x) kerberos (x) ntlm (x) Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
Please help      The A Team   |   Edit   |   Show History
Hi guys, im having same issue. Has anyone come up with a solution? or a workaround. thank you guys
Tags What's this?: Add a tag
Flag as ContentBug
Some Users Still Authenticate Via NTLM      Ryan Kavalsky   |   Edit   |   Show History
I have Kerberos configured on our network, and most of our users are authenticating accordingly. However, 3 of our users (whose AD login and computer properties are all standard) are still being authenticated on the 2nd hop as "NT AUTHORITY\ANONYMOUS LOGIN" using NTLM.

What would cause this?
Tags What's this?: Add a tag
Flag as ContentBug
Kerberos would not work for "localhost"      Kyle Yin   |   Edit   |   Show History
Hi Scott,

Your browser will only use Kerberos if it can obtain a kerberos token for the target SPN (the server in question) from the KDC.
The KDC will only issue a token if the SPN exists.
Most likely you do not have a SPN defined for "localhost", which is why KDC will fail to issue a token, which in turn causes your browser to fall back to NTLM.
Tags What's this?: Add a tag
Flag as ContentBug
NTLM is used over Kerberos when connecting to localhost.      Scott Markwell   |   Edit   |   Show History

NTLM appears to be used instead of Kerberos when making a request to a local system running an HTTP service.

I've noticed this in Windows Server 2003 using Internet Explorer 7

© 2012 Microsoft. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker