Hi, I have configured kerberos for the fim portal and fim service and everything seems to be working fine. However how can I verify that kerberos actually is being used and not NTLM? Regards Zid

You could capture the network traffic by using Netmon or disable NTLM authentication on the related computers. Cheers, Markus Markus Vilcinskas, Knowledge Engineer, Microsoft Corporation

If you configure the FIM Server's Audit policy to audit successful Account Logon events & Logon events and start the FIM portal you should see in the Security Event log, among others, EventIDs 4769, which tells you that a Kerberos ticket was requested and issued successfully. /Matthias /Matthias

Hi Zid- The free Fiddler addon for IE/Firefox will let you look at the authentication headers when you browse to the portal. This is usually how I troubleshoot/investigate this.My Book - Active Directory, 4th Edition My Blog - www.briandesmond.com

For just seeing whether Kerberos is used I prefer Matthias his suggestion: by default those logon (success) events are logged I think. So in the security log of the Portal server you should see an entry stating your client IP, user name and whether Kerberos was used. It comes in handy if you use real test user so you can clearly see his name pop up in the event log and not your admin account where are you are logged on with on the portal server And very important: test from a remote workstation. Don't test from on the FIM Portal Server itself. Besides the event log, "klist" (built-in 2008/2008 R2/W7) can show you which Kerberos tickets the user requested. Kerbtray can do this as well: http://setspn.blogspot.com/2010/06/kerberos-basic-troubleshooting-tip-1.html http://setspn.blogspot.com

Thanks for all the good replies! When enabling auditing I see the following in the event log when restarting the Forefront Identity Manager Service: An account was successfully logged on. Subject: Security ID: SYSTEM Account Name: FIM01$ Account Domain: AFAB Logon ID: 0x3e7 Logon Type: 5 New Logon: Security ID: DOMAINA\FIMS Account Name: FIMS Account Domain: DOMAINA Logon ID: 0xf8d8b1 Logon GUID: {62ccbe63-18b4-a9cc-7fe7-0991c502f827} Process Information: Process ID: 0x228 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: SE01 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 How can I tell if kerberos is being used or not when reading this log? Regards Zid

This is what I'm seeing: Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: Advapi -> Negotiate is mostly present when you perform an interactive logon I think. Like when pressing ctrl-alt-del and entering credentials are when logging on through remote desktop services. Perhaps it's also possible if you configured IIS for basic authN. I think you are looking at the wrong event. You can filter your security eventlog on the fim portal for event id 4624 and then search for your username. I really advise you to use a new dummy user, which does not appear in all event logs already.http://setspn.blogspot.com

When accessing the portal from a remote computer using https://fimportal.test I see the same as you: An account was successfully logged on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 New Logon: Security ID: DOMAINA\testuser1 Account Name: testuser1 Account Domain: DOMAINA Logon ID: 0x130dff0 Logon GUID: {74cbd5c3-cdee-6793-a3b2-faf65f6e7850} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: Source Network Address: 192.168.10.11 Source Port: 61764 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 However when I go to services on the FIM Portal/FIM Service server and restart the Forefront Identity Manager Service I see the information displayed in the previous post in the log. Should I not also see kerberos being used when restarting the service?

Ahah, that's why It stated "services.exe" in your first event. The negotiate logon makes sence there. It's like a user loging on to a workation with username/password in the ctrl-alt-del screen. The FIM Service is configured in the services.msc console. At installation it was configured with a username to run under and a specific password. When the service starts it uses these credentials and performs an negotiate logon on this server. More specific this means that when the service afterwards has to authenticate to something it can use both NTLM (it has the username/password) and Kerberos (it's authenticated)http://setspn.blogspot.com

You could also try this instead: To activate Kerberos protocol only Open the Web.config file, which is usually located at C:\inetpub\wwwroot\wss\VirtualDirectories\80. Note You need an elevated command prompt or Windows Explorer to access this folder. Locate the element <resourceManagementClient . . . /> Add requireKerberos=”true” so that it reads <resourceManagementClient requireKerberos="true" . . . /> Save the Web.config file. Run iisreset from a command prompt.

I added the requireKerberos="true" value to the web.config file and ran iisreset. Does this mean that only kerberos and not ntlm will be used on this web site? Everything is still working as it should. I guess this means that Kerberos is enabled or else something would not work?

This is correct, you should not be able to access the portal with more insecure authentication mechanisms. You can easily test this out... find out the IP for your FIM Portal (ping FIMHOSTNAME) Navigate to http(s)://FIM_IPv4/identitymanagement/default.aspx When accessing the site via IP, Kerberos won't be able to negotiate and your browser would fallback to NTLM, which would be denied by the above configuration setting - you should see access denied or some equivalent error in that case.

I verified this today and it's not working using just the IP so everything is good it seems. Thanks to everyone for their help!