3.2 Authentications

Use this Knowledge Script to monitor the number of Kerberos and NTLM (Windows NT LAN Manager) authentications per second. This script raises an event if the number of Kerberos or NTLM authentications per second exceeds the threshold you set.

The default protocol for network authentication for computers with Windows 2000 and later is Kerberos, but because Windows 2000 also supports NTLM authentication, this script monitors both types of network authentication.

Windows requires users and workstations to receive authentication — to prove their identity — before servers allow them access to data. Authentication monitoring of domain controllers, which do much of the work associated with authentications, should be performed for several reasons:

A rise in authentication load indicates authentication work has failed over to this domain controller from another domain controller.
Sustained zero Kerberos authentication levels indicate Kerberos authentication has either failed over to another domain controller, or user authentications are failing entirely.
A jump in authentication load is very common when a virus attack is underway.
Any non-zero NTLM authentication load indicates legacy clients are connected.
The ratio of Kerberos to NTLM traffic is a key indicator of how much of your client base has been upgraded to Windows 2000 or later.

This script gathers the following Windows performance counter values for use in data collection and threshold monitoring:

Performance Objects	Counters
NTDS Security System-Wide Statistics NOTE:The Authentication Knowledge Script gathers values from the Security System-Wide Statistics performance object only when the Domain Controller where it runs is the Windows Server 2008 version or later.	Kerberos Authentications NTLM Authentications

Performance Objects

Counters

NTDS

Security System-Wide Statistics

NOTE:The Authentication Knowledge Script gathers values from the Security System-Wide Statistics performance object only when the Domain Controller where it runs is the Windows Server 2008 version or later.

Kerberos Authentications

NTLM Authentications

3.2.1 Resource Object

Active Directory domain controller

3.2.2 Default Schedule

The default interval for this script is Every 30 minutes.

The default interval is intended to minimize the amount of data collected. If your organization wants tight monitoring of security-related issues, you can decrease the interval to Every 5 minutes.

3.2.3 Setting Parameter Values

Set the following parameters as needed:

Parameter	How to Set It
Monitor authentication rate
Event Notification
Raise event if job fails
Event severity when job fails	Set the severity level, from 1 to 40, to indicate the importance of an event in which the Authentications job fails. The default is 35.
Raise event if Kerberos authentication rate exceeds threshold?	Select Yes to raise an event if the Kerberos authentication rate exceeds the threshold you set. The default is Yes.
Threshold -- Maximum rate of Kerberos authentications	Specify the maximum number of Kerberos authentications per second allowed during any interval before an event is raised. The default is 50 authentications per second.
Event severity when Kerberos authentication rate exceeds threshold	Set the severity level, from 1 to 40, to indicate the importance of an event in which the Kerberos authentication rate exceeds the threshold. The default is 20.
Raise event if NTLM authentication rate exceeds threshold?	Select Yes to raise an event if the NTLM authentication rate exceeds the threshold you set. The default is Yes.
Event severity when NTLM authentication rate exceeds threshold	Set the severity level, from 1 to 40, to indicate the importance of an event in which the NTLM authentication rate exceeds the threshold. The default is 20.
Threshold -- Maximum rate of NTLM authentications	Specify the maximum number of NTLM authentications per second allowed during any interval before an event is raised. The default is 50 authentications per second.
Data Collection
Collect data for Kerberos authentications?	Select Yes to collect data for charts and reports. If enabled, data collection returns the total number of Kerberos authentication requests since the first Knowledge Script interval (the cumulative number). The default is unselected.
Collect data for NTLM authentications?	Select Yes to collect data for charts and reports. If enabled, data collection returns the total number of NTLM authentication requests since the first Knowledge Script interval (the cumulative number). The default is unselected.