Authentication Uses NTLM instead of Kerberos

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You might find that the Security log recorded an event in which logon occurred by using NTLM when it should have occurred by using Kerberos authentication.

Cause

The system attempts authentication by using the Kerberos protocol but it fails. As a result, the system attempts to authenticate by using NTLM. Windows Server 2003, Windows XP, and Windows 2000 use an algorithm called Negotiate (SPNEGO) to negotiate which authentication protocol is used. Although the Kerberos protocol is the default, if the default fails, Negotiate will try NTLM.

Solution

Investigate by examining errors or warnings in the event logs.

Cause

A call to Negotiate returns NTLM as the only protocol available. This situation is much more difficult to diagnose. There are two common causes of this situation — when Internet Explorer is being used and the Kerberos protocol is not being attempted:

• Enable Integrated Windows Authentication (requires restart) setting is not selected in Internet Explorer 6.0.

• Internet Explorer is accessing a site in the Internet zone instead of the intranet zone.

Solution

Internet Explorer 6.0 will, by default, not attempt to use the Kerberos protocol to authenticate to any site.

To enable Internet Explorer 6.0 to respond to a negotiate challenge and perform Kerberos authentication:

1. In Internet Explorer, on the Tools menu click Internet Options.

2. Click the Advanced tab, in the Security group select the Enable Integrated Windows Authentication (requires restart) check box, and then click OK.

3. Restart Internet Explorer.

For more information, see Unable to Negotiate Kerberos Authentication After Upgrading to Internet Explorer 6 in the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=23045).

The second common cause is that Internet Explorer 6.0 is attempting to access a site located in the Internet zone. Internet zone sites are prevented from using Integrated Windows authentication because these protocols do not typically work through Web proxies, among other reasons. If a site is located in the Internet zone, Internet Explorer 6.0 does not attempt to use Kerberos authentication, and automatically tries NTLM. In all versions of Internet Explorer, when accessing a Web site to which you want to use Kerberos authentication, you must verify that the Web site appears as being in the local intranet zone. An icon in the lower right corner of the Internet Explorer window indicates what zone a Web site is in. It displays “Internet” for the Internet zone and “Local Intranet” for the intranet zone. If the Web site appears as being in the Internet zone, you must manually add the site to the local intranet sites list.

To add an Internet site to the local intranet sites list

1. On the Tools menu, click Internet Options.

2. Click the Security tab, then click Local Intranet, then click Sites, and then click Advanced.

3. In the box under Add this Web site to the zone, type the name of the Web site that you want to authenticate with Kerberos authentication, and then click Add.

4. Click Close, and then click OK.

After you perform this procedure, if you find that NTLM authentication is still being used, or that Kerberos is not even being attempted in a situation where Kerberos authentication should be used, contact Product Support Services for help in diagnosing the problem.