Recipe 15.5 Enabling Kerberos Logging

15.5.1 Problem

You want to enable Kerberos logging on a domain controller to troubleshoot authentication problems.

15.5.2 Solution

15.5.2.1 Using a graphical user interface
  1. Run regedit.exe from the command line or Start Run.

  2. In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet Control Lsa Kerberos Parameters.

  3. If the LogLevel value doesn't already exist, right-click on Parameters and select New DWORD value. Enter LogLevel for the value name and click OK.

  4. In the right pane, double-click on LogLevel and enter 1.

  5. Click OK.

15.5.2.2 Using a command-line interface
> reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v "LogLevel"[RETURN] 
/t REG_DWORD /d 1
15.5.2.3 Using VBScript
' This code enables Kerberos logging for the specified domain controller
' ------ SCRIPT CONFIGURATION ------
strDC = "<DomainControllerName>"  ' e.g. dc01
' ------ END CONFIGURATION ---------

const HKLM = &H80000002
strRegKey = "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"
set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv")
objReg.SetDwordValue HKLM, strRegKey, "LogLevel", 1
WScript.Echo "Enable Kerberos logging for " & strDC

15.5.3 Discussion

If you are experiencing authentication problems or would like to determine whether you are experiencing any Kerberos-related issues, enabling Kerberos logging will cause Kerberos errors to be logged in the System event log. The Kerberos events can point out if the problem is related to clock skew, an expired ticket, expired password, etc. For a good overview of some of the Kerberos error messages, see MS KB 230476.

Here is an example event:

Event Type:        Error
Event Source:        Kerberos
Event Category:        None
Event ID:        3
Date:                5/26/2003
Time:                5:53:43 PM
User:                N/A
Computer:        DC01
Description:
A Kerberos Error Message was received:
         on logon session 
 Client Time: 
 Server Time: 0:53:43.0000 5/27/2003 Z
 Error Code: 0xd KDC_ERR_BADOPTION
 Extended Error: 0xc00000bb KLIN(0)
 Client Realm: 
 Client Name: 
 Server Realm: RALLENCORP.COM
 Server Name: host/ dc01.rallencorp.com
 Target Name: host/dc01.rallencorp.com@RALLENCORP.COM
 Error Text: 
 File: 9
 Line: ab8
 Error Data is in record data.

15.5.4 See Also

MS KB 230476 (Description of Common Kerberos-Related Errors in Windows 2000) and MS KB 262177 (HOW TO: Enable Kerberos Event Logging)



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List