Windows IT Pro
Connect With Us
Home > Systems Management > Active Directory & Group Policy > Group Policy > Q: How can I find out if my clients are using NTLM for authentication instead of Kerberos against specific Windows servers, applications, or services?

Q: How can I find out if my clients are using NTLM for authentication instead of Kerberos against specific Windows servers, applications, or services?

Jan. 27, 2012 Jan De Clercq | Windows IT Pro

A: Windows 7 and Windows Server 2008 R2 include new Group Policy settings that let you audit, analyze, and restrict NTLM authentication use in your Windows environment. Microsoft introduced three security policy settings you can use for auditing NTLM traffic. The settings are stored in the following Group Policy Object (GPO) container: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options. They're called:

  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
  • Network security: Restrict NTLM: Audit NTLM authentication in this domain
  • Network security: Restrict NTLM: Audit Incoming NTLM Traffic

You should enable the Restrict NTLM: Audit NTLM authentication in this domain setting only on your Windows Server 2008 R2 domain controllers (DCs). To enable it, choose the Enable all option in the Microsoft Management Console (MMC) GPO Editor snap-in.

You can use the other two settings -- Restrict NTLM: Outgoing NTLM traffic to remote servers and Restrict NTLM: Audit Incoming NTLM Traffic -- for auditing NTLM authentication traffic on all Windows 7 and Windows Server 2008 R2 computers. To enable auditing for the first setting, choose the Audit all option, as Figure 1 shows; to enable auditing for the latter setting, choose the Enable auditing for all accounts option. Security_Restrict_NTLM_Fig1
Figure 1: Enabling the Restrict NTLM: Outgoing NTLM traffic to remote servers setting

NTLM audit events are written to the following event log path: \Applications and Services Logs\Microsoft\Windows\NTLM\Operational. Note that this log isn't visible by default in the MMC Event Viewer snap-in. To view this log, you must enable the Show Analytic and Debug Logs option in the Event Viewer's View menu.

Whenever the NTLM protocol is used for authentication, an event with ID 8004 shows up in a Windows Server 2008 R2 DC's log, an event with ID 8003 shows up in a Windows Server 2008 R2 member server's log, and an event with ID 8001 appears in a Windows 7 client's log, as Figure 2 illustrates Windows_Event_Log_smFig2
Figure 2: Event ID 8001, indicating NTLM protocol authentication, appearing in a Windows 7 client log (Click image for larger view)

Please or Register to post comments.

Related Articles
IT/Dev Connections

Las Vegas
September 30th - October 4th

Paul ThurottYou'll have the opportunity to experience:
• The Microsoft
Technology Roadmap
• Office 365 Implementation
• Hyper-V Optimizing
• Windows 8 Deployment
and much more!

Come See Paul Thurrott & Rod Trent in Person!

Early Registration Now Open

Upcoming Training

Mastering SharePoint 2013: Succeeding, Not Just Surviving

Building on the success of the “Mastering SharePoint 2010” seminars, the presenters have updated the content to cover the latest and greatest SharePoint product: SharePoint 2013. While SharePoint 2013 is relatively new on the marketplace, the presenters have been working with SharePoint 2013 for well over a year, and have implemented it with a number of clients in production environments.

Register Now

Current Issue

May 2013 - The NameTranslate object is useful when you need to translate Active Directory object names between different formats, but it's awkward to use from PowerShell. Here's a PowerShell script that eliminates the awkwardness.

CURRENT ISSUE / ARCHIVE / SUBSCRIBE

Windows Forums

Get answers to questions, share tips, and engage with the Windows Community in our Forums.

Featured Products
Windows 8 Tips
Windows 8 Tips

You’ve been told that Microsoft has somehow compromised the beloved desktop environment and ruined it with Metro...

VIP - Premium Membership
For the IT Professional that needs access to training, premium content, discounts, and more, joining our VIP group just...
Testing with Visual Studio 2012

June 25th
Presented by: Brian Minisi

EARLY BIRD DISCOUNT -...

View CatalogView Shopping Cart

WindowsITPro.com
Related Sites
Copyright © 2013 Penton Media, Inc