i've been having issues where calls to the LogonUser Windows API function is falling back to NTLM authentication, rather than using the preferred, default, Kerberos authentication.
Researching the problem, a guy has a suggestion:
The thing to do is to figure out why the code is using NTLM instead of
Kerberos in the first place since Kerberos is the default and to try to see
if it can be changed to make it use Kerberos. A couple of things come to
mind:
- The client machine must be domain joined to use Kerberos
Now i've never heard of being domain joined to use Kerberos. Either you're joined to an Active Directory domain, or not, right?
In this case the machine is joined to an Active Directory domain, e.g.:
contoso.local
What does it mean to be "domain joined to use Kerberos"; and how do i ensure that my machine is?
Best Answer
Whenever I've heard or used the term "domain joined" it has meant "The state of being joined to an Active Directory domain".