Two easy ways to pick Kerberos from NTLM in an HTTP capture

When tracing authenticated HTTP traffic, you'll often see a Windows client use the Negotiate protocol to authenticate itself to a Windows web server.

In the past, I've surprised my friends and amazed casual onlookers by being able to instantly surmise which authentication protocol was actually in use. While that's a useful skill to have, it's one I'm prepared to share - at great personal expense and possibly the cost of a few free dinners - with you, dear reader.

First up: what's this Negotiate business? Negotiate is actually an umbrella authentication package that covers the NTLM and Kerberos authentication protocols.

If you're (that's "you" in the "your computer" sense of the word) not a Windows domain member, Negotiate will negotiate NTLM only. If you're a domain member and everything's going fantastically (thanks for asking), it's Kerberos. But for a variety of reasons, it might end up being NTLM.

Negotiate might be upgraded in the future to support more than just NTLM and Kerberos, so when that happens, you can probably ignore the advice in this article!

For now, there are two easy ways to work out when Negotiate means Kerberos or NTLM:

1. Number of round-trips to authenticate a client

Not counting the initial anonymous GET request:

  • Kerberos uses one round trip to authenticate a client
  • NTLM has a "challenge" phase that adds a second round trip

The shot from Fiddler below shows responses from the server, each number represents a client request, and the next column is its corresponding response code. The 200s are the successful completion of each authentication sequence.

Request pairs 1 and 2 are a successful Kerberos authentication. Request pairs 3 through 5 are using NTLM because http/fakename isn't a registered SPN in AD. Using Negotiate, if Kerberos authentication fails, NTLM may be used as a fallback.

I forced NTLM by using a DNS hostname for which a kerberos SPN was not registered, which is actually a realistic simulation of the conditions in which double-hop authentication doesn't work.

For the setup-curious, the setup for the /negotiatethis/ virtual directory is as below:

 

2. Size of the Negotiate blob

Kerb tickets are much bigger than password hashes. See if you can spot the difference below! (headers trimmed for compactness)

A. NTLM

------------------------------------------------------------------
3. GET /negotiatethis/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: fakename

HTTP/1.1 401 Unauthorized
Content-Length: 1656
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
------------------------------------------------------------------
4. GET /negotiatethis/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: fakename
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==

HTTP/1.1 401 Unauthorized
Content-Length: 1539
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAABgAGADgAAAAFgomiCQs+k8e625YAA
AAAAAAAAGIAYgA+AAAABQLODgAAAA9EAEkAQgACAAYARABJAEIAAQAMADIAMAAwADMARA
BDAAQADgBkAGkAYgAuAGQAbwBtAAMAHAAyADAAMAAzAEQAQwAuAGQAaQBiAC4AZABvA
G0ABQAOAGQAaQBiAC4AZABvAG0AAAAAAA==

Date: Wed, 02 Aug 2006 06:27:07 GMT
------------------------------------------------------------------
5. GET /negotiatethis/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: fakename
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHwAAAAYABgAlAAAAAYABgBIAAAA
GgAaAE4AAAAUABQAaAAAAAAAAACsAAAABYKIogUCzg4AAAAPRABJAEIAQQBkAG0AaQBuA
GkAcwB0AHIAYQB0AG8AcgAyADAAMAAzAE0ARQBNAEIARQBSAK5mqZs/4zeTAAAAAAAAAA
AAAAAAAAAAADlpPfISbVP+br+jiEvDlc8jTU0LwwgJGw==

HTTP/1.1 200 OK
Date: Wed, 02 Aug 2006 06:27:07 GMT
Server: Microsoft-IIS/6.0
Content-Length: 56
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSATTTAST=NGFNNCCAMIKCAMPIPKDAGAGE; path=/
Cache-control: private
--------------------------------------------------------------------

Image reprinted for easy reference - above were 3, 4 and 5, the NTLM set- below are 1 and 2, Kerberos.

B. Kerberos

------------------------------------------------------------------
1. GET /negotiatethis/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: 2003dc

HTTP/1.1 401 Unauthorized
Content-Length: 1656
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Wed, 02 Aug 2006 05:29:23 GMT

------------------------------------------------------------------
2. GET /negotiatethis/ HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: 2003dc
Authorization: Negotiate YIIJvwYGKwYBBQUCoIIJszCCCa+gJDAiBgkqhki
C9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCCYUEggmBYII
JfQYJKoZIhvcSAQICAQBugglsMIIJaKADAgEFoQMCAQ6iBwMFACA
AAACjggPSYYIDzjCCA8qgAwIBBaEJGwdESUIuRE9NohkwF6ADAgE
CoRAwDhsESFRUUBsGMjAwM2Rjo4IDmzCCA5egAwIBF6EDAgEE
ooIDiQSCA4VWCBvPweTzPp0+99JbpMcHxGmMsxsZRR+CX8MhRM
YXjVy1oLGO0yGRQzVOoPUxzAB3G97FbBZF6/psJ036bkW/K6nZs6U
7vC/pu/Vw83hpUWogKhQJRrb8fuANGgqRnxKPMCsQEqqcaZpEJCR
eqzuhzH9BHPHVH+uzRdkinp9cw1UrlsKm2t/ipxfnTXarUxKg4+xLXQ
qPkh/UsntWH2zesAbmXVIRbJsu48WQRlVflodTXFqi+3E0ITi52+pzH
iz46RGYUsDXohJD43CpJLV5TlSPk0etHSAPj1igqLm9jBGjNUA36HiFq
NNDwtNdw1g3u4RNOSqHg7yrbw72SvOUyDoZeizqh6Zxq3HUzN8LU
w12pNunHeU/WJZff5uGjHZSyioDrEOk7vI134GYh1B4zWsXe8LZ6W0
NaG+qzC3O1qgWDkrlU+rc0159nqqcAsb4xtmDylg6Dre8HaGq1/PZc
0BWL7GT+NFBSP8Dk1KZZL0mQfLKiz0wj14xCa6yd8Os5JZCL6mEKIcsV
C+HzdYXxgbIGSTnBnVcYg1ip8NM9tDRA24KfAe9kyQRggSoRY/AGn7n
sQ2szpuma4+mdseWYr401FO+uuuThsMJ1+/nnRd8fjJyt5Vk+5xoUL
b0bgl6GVidNrYlR4NT65WWIzpx2140s+ZoYnIXKwx9xrTndpzouVYZ74
HF/SSmXKbjvzbCp9rK0k/HqKecYb/Ib+FQurhy0ahcPVW20rrKVGHkmz
NLsmcluiCeQFCsD744f4OlUSUfuGA1wrxJUKkaIlyFrNYWSnMDnZ4S5
QmpTna2fDUn/ohGZ+y2Q6QBeTckcn9UyDLsBJm29O+UG69UAI26uF
QkHFRF5gk5ZGC3uc3x6XGV3KcncYiPFyLmnVd93gi1NrOG47gFGCPboA
452ojvu6QyeMooRbS79hsdKEpJFqzm/o1CEWrHCm5FcvR1BMlcXjPJi
Um84dWioq0/Rq6R+bKL7t54GRmssA8BiXD7bCKHnk+nOXxWhcSD+
SrVFIw+zHOIYk+U0vAlo99GK71zbvomXQkLw6gUteKhsCOXekj0qQjEN
+q+cwDRFsaM1uVScdxxquFq8Uyfb+JctVMFe5+ZetnU3XrhgqY9PqltI
GIkEoMIf3U58mang5zB4Llq9zxWYjaNpel4kjET1d+kGP0+zko5GVCjm
uUirtpOAT9GQS6SpIIFezCCBXegAwIBF6KCBW4EggVq9xTwR89MeRb
w5Ob35WJf7EKv72H9cYIF4shVdzhwdDhcKIbPVMXfXPb0rsEcbmZmt+
HmqlVEewQTTDsfJMquiB2d2JKn4xdpU/A8h4AOts2EdpqcKMDKFRsn
viPWUOC+YQ7TEEco/I+YMK5RC2TV7h2fCEuN+16PEGZVsQ2jZKvcsro9
0DU92DjsLSW+6JZqMuK6ED4XEi/2FbNcsAr1z8FPnYuHgRaAmqZvhdL
XabUgk9d6lekliZqbnhErSsalonHI85DHT8Yl1rKMgU0+apXqA3hlblLE
/xWh/uMJeuymJ03c0DliOYWDPgGdh6JExuHysV8xsEnD1gCE/ScBlbu
8bd/9BjiLgHOttQq4uI3UqNhAQgRVXYy/24SE4RC/7NrPXYKkDno/WM
oFjXYMCRL1j2OmSuC1Cybgpkm5P4bXroRF6XGYX3zmaFaoOI8DK8I+H
x7sN1j6TMDwvrS6FxjF3Jrio/FnX8icI/zEa1SJ2940jrYfZonOuk8nr3vcsD
U7kounX2XH/IzzDm5OAYZQ3WwKs1nR6ix1Y/4Ov1CR4fDkkMjT5VjXz+
AWywvwuSOfk9iHqSW7gE+/t5fFEwTxB8nOrKOt7LC2QfV5BDwXQrPfsx
rrSvin3b3vMOMxxNieBQWzu9rxSljVo5x8sZ6jYIOZSlrIB81US8POFeum
VGd3UGZnzOfKFdDFbQp1Q3ybiFarA+BrOQ+nvY3NlntBJVVL3LO6ZY+h
Mt02ZQKm4Fpx52wt3YOTh6GnhEbmQ/23v5Tr8GwSlKi2kxo6lIKYxeOE
Buro1Njl/9krtRuKovkPFuwR/UOo8gBDVEos7RkkdiLA8H6sTxAi4B/Kk
GrWDJgpWHE7995gTZVrnHISY8NLs254JBQoGpNFJ6htAMCPjk89mJnh
WJSeBNsZ1s9uvnne3t3zJJiMabO+tZLOUQZ/V5+1NpKUkZ/PAD82qCLf
sXXq3j/L3UNkmj3IFlkAL/4A3X+HBnTEtkcz19qHWgyl9me9uvx9kPWcF
7XAj5LJ638w46GNCCuVMZ74VcIvxkQZ2b5peoxh3vGNskBtk7/PnHSCR
YUPqA4VrhZn86P0J/u4qON3OXdJBF2FAPhGX09TiINw67v3PRuTLo6W
UFTPvAGXMlWssDMgvfGFJIyBKoLQqje0YdlVCv9KTSMKMGv5lGHgsZa
1cRvDvxZ0S/jp1D2lqtAy5Ih3rOmzjXRogENtkLpb6H0jsNh0si/5lVpMW
umi1IGXjW+QlgHQExahvBu5D7qvYqMkPyDODatHDJoyNd05MUM8Cw
jMKKnNGAvGXOkloSIrBxuSBclZcwlg8Xrr/XIMNaeO1dX72F36KABOk85
EQBKwq6lZCKIICq1HxO2b3+Gt7I8fYBP8yuX/0uLP0wMBJPSlUt/qozEt0/
gK4t2IVg/0EjNVpNEZxvzDX2KbNNBo+Vkb7TCgS7+yYi1mzDAJ1XYRxx5S
tJ55Qo5p0nqqqmgo26smy7xY0bpOXVGdGF1n3C6yeedRrOaSkMqLVm
UAvrFtbJyEryxEZt1NXZl91yCWNt67pvSjRSMpE7yWC0/zWLRPYmfBUgis
I8DmQr9hBsoNJypC3HzUf0FRHQG9yc/ko7GSPEPXHP+eZFlcY+8ZhZrgl
IvgIl6+tc2b8rq+rwQYCh2q3CJt2lC7FaFCl4O2sv6GB8KDkT9V73VP40dX/
7FpiqDntDp9Tj3ihjzrREKeRwMuSHIrtT2dXzipK/hveEre3T+F3hU9NTSj
qCRr4wMSkd8SQzfL2XBL2SlMEHqV9o7l+G44XSVARc9YVdzDcxLvswd6
Ug1ej6D7KbcXAHZi6VdWEKGPxv5SVDLf

HTTP/1.1 200 OK
Date: Wed, 02 Aug 2006 05:29:23 GMT
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate oYGfMIGcoAMKAQChCwYJKoZIgvcSAQICooGHBIGEYIGBBgkqhki
G9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqADAgEXolsEWQLu3qmHQaYEPcEIXKRwn4w0wieU6
w71tqGzllrZMCeBeCDgLaUNmnSfA8SEYCC27ZNJ/wxx3+W4Q3JPy1VmG+lQ6JQtF1nZ6HOZYvnkup6
926v1mgofc7ss

Content-Length: 56
Content-Type: text/html
Cache-control: private
--------------------------------------------------------------------

Using Fiddler, it can be a little tricky to identify the difference in GET request size from the Headers view, but Raw shows you what's what, and how long it is!

My Kerberos back-catalogue.

[Manual Trackbacks]
Ken Schaefer: Two easier ways - using "real" network captures and Ethereal/Wireshark (eg, a network sniffer that understands the authentication blobs and just outright tells you), and the Event Logs.