none
Check Kerberos or NTLM authentication in service RRS feed

  • Question

  • Using a service with endpoint exposed over netTcp (standard settings), it is possible to determine the authentication protocol by examining the AuthenticationType property on the primary identity of the WCF security context (Kerberos or NTLM).

    When using WCF 4.5 and enabling the Identity Foundation pipeline (by adding a ServiceCredentials behavior and setting the 'useIdentityConfiguration' property to true), the AuthenticationType property of the identity allways indicates "Windows" instead of "Kerberos" or "NTLM".

    Is there a way to determine which authentication protocol was actually used?

    Monday, November 4, 2013 8:50 AM

Answers

  • Hi,

    >>Is there a way to determine which authentication protocol was actually used?

    The Kerberos SSP requires a domain controller to act as the Kerberos Key Distribution Center (KDC). The Kerberos protocol is available only when both the client and service are using domain identities. In other account combinations, NTLM is used, as summarized in the following table.

    The table headers show possible account types used by the server. The left column shows possible account types used by the client.

    For more information, please try to refer to:
    #Windows Authentication:
    http://msdn.microsoft.com/en-us/library/bb463274.aspx .

    Best Regards,
    Amy Peng

     

              

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Tuesday, November 5, 2013 3:20 AM
    Moderator
  • Hi,

    Yes, I know that you want to determine which authentication protocol was actually used, so we can check the account type as the above table said.

    For example if the client account type is Local User, then it will use the NTLM, no matter what the service will be.

    If the client account type is Domain User, and if account types used by the server is also Domain User, then it will use the Kerberos.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, November 11, 2013 9:44 AM
    Moderator

All replies

  • Hi,

    >>Is there a way to determine which authentication protocol was actually used?

    The Kerberos SSP requires a domain controller to act as the Kerberos Key Distribution Center (KDC). The Kerberos protocol is available only when both the client and service are using domain identities. In other account combinations, NTLM is used, as summarized in the following table.

    The table headers show possible account types used by the server. The left column shows possible account types used by the client.

    For more information, please try to refer to:
    #Windows Authentication:
    http://msdn.microsoft.com/en-us/library/bb463274.aspx .

    Best Regards,
    Amy Peng

     

              

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.



    Tuesday, November 5, 2013 3:20 AM
    Moderator
  • Thanks for the help, but my actual question is how do I determine in the WCF service implementation code which auth protocol (Kerberos or NTLM) has actually been used. With the .NET 4.5 identity pipeline disabled this is indicated in the principal's identity. With the identity pipeline enabled both Kerberos and NTLM are reported as "Windows".
    Tuesday, November 5, 2013 9:00 AM
  • Hi,

    Yes, I know that you want to determine which authentication protocol was actually used, so we can check the account type as the above table said.

    For example if the client account type is Local User, then it will use the NTLM, no matter what the service will be.

    If the client account type is Domain User, and if account types used by the server is also Domain User, then it will use the Kerberos.

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, November 11, 2013 9:44 AM
    Moderator