| 15.5.1 ProblemYou want to enable Kerberos logging on a domain controller to troubleshoot authentication problems. 15.5.2 Solution15.5.2.1 Using a graphical user interface
 15.5.2.2 Using a command-line interface> reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v "LogLevel"[RETURN]  /t REG_DWORD /d 115.5.2.3 Using VBScript' This code enables Kerberos logging for the specified domain controller ' ------ SCRIPT CONFIGURATION ------ strDC = "<DomainControllerName>"  ' e.g. dc01 ' ------ END CONFIGURATION --------- const HKLM = &H80000002 strRegKey = "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv") objReg.SetDwordValue HKLM, strRegKey, "LogLevel", 1 WScript.Echo "Enable Kerberos logging for " & strDC15.5.3 DiscussionIf you are experiencing authentication problems or would like to determine whether you are experiencing any Kerberos-related issues, enabling Kerberos logging will cause Kerberos errors to be logged in the System event log. The Kerberos events can point out if the problem is related to clock skew, an expired ticket, expired password, etc. For a good overview of some of the Kerberos error messages, see MS KB 230476. Here is an example event: Event Type: Error Event Source: Kerberos Event Category: None Event ID: 3 Date: 5/26/2003 Time: 5:53:43 PM User: N/A Computer: DC01 Description: A Kerberos Error Message was received: on logon session Client Time: Server Time: 0:53:43.0000 5/27/2003 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: RALLENCORP.COM Server Name: host/ dc01.rallencorp.com Target Name: host/dc01.rallencorp.com@RALLENCORP.COM Error Text: File: 9 Line: ab8 Error Data is in record data. 15.5.4 See AlsoMS KB 230476 (Description of Common Kerberos-Related Errors in Windows 2000) and MS KB 262177 (HOW TO: Enable Kerberos Event Logging) | 
