You want to enable Kerberos logging on a domain controller to troubleshoot authentication problems.
Run regedit.exe from the command line or Start Run.
In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet Control Lsa Kerberos Parameters.
If the LogLevel value doesn't already exist, right-click on Parameters and select New DWORD value. Enter LogLevel for the value name and click OK.
In the right pane, double-click on LogLevel and enter 1.
Click OK.
> reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v "LogLevel"[RETURN]
/t REG_DWORD /d 1
' This code enables Kerberos logging for the specified domain controller ' ------ SCRIPT CONFIGURATION ------ strDC = "<DomainControllerName>" ' e.g. dc01 ' ------ END CONFIGURATION --------- const HKLM = &H80000002 strRegKey = "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv") objReg.SetDwordValue HKLM, strRegKey, "LogLevel", 1 WScript.Echo "Enable Kerberos logging for " & strDC
If you are experiencing authentication problems or would like to determine whether you are experiencing any Kerberos-related issues, enabling Kerberos logging will cause Kerberos errors to be logged in the System event log. The Kerberos events can point out if the problem is related to clock skew, an expired ticket, expired password, etc. For a good overview of some of the Kerberos error messages, see MS KB 230476.
Here is an example event:
Event Type: Error Event Source: Kerberos Event Category: None Event ID: 3 Date: 5/26/2003 Time: 5:53:43 PM User: N/A Computer: DC01 Description: A Kerberos Error Message was received: on logon session Client Time: Server Time: 0:53:43.0000 5/27/2003 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: RALLENCORP.COM Server Name: host/ dc01.rallencorp.com Target Name: host/dc01.rallencorp.com@RALLENCORP.COM Error Text: File: 9 Line: ab8 Error Data is in record data.
MS KB 230476 (Description of Common Kerberos-Related Errors in Windows 2000) and MS KB 262177 (HOW TO: Enable Kerberos Event Logging)