Recipe 15.5 Enabling Kerberos Logging

15.5.1 Problem

You want to enable Kerberos logging on a domain controller to troubleshoot authentication problems.

15.5.2 Solution

15.5.2.1 Using a graphical user interface
  1. Run regedit.exe from the command line or Start Run.

  2. In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet Control Lsa Kerberos Parameters.

  3. If the LogLevel value doesn't already exist, right-click on Parameters and select New DWORD value. Enter LogLevel for the value name and click OK.

  4. In the right pane, double-click on LogLevel and enter 1.

  5. Click OK.

15.5.2.2 Using a command-line interface
> reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v "LogLevel"[RETURN]  /t REG_DWORD /d 1
15.5.2.3 Using VBScript
' This code enables Kerberos logging for the specified domain controller ' ------ SCRIPT CONFIGURATION ------ strDC = "<DomainControllerName>"  ' e.g. dc01 ' ------ END CONFIGURATION --------- const HKLM = &H80000002 strRegKey = "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv") objReg.SetDwordValue HKLM, strRegKey, "LogLevel", 1 WScript.Echo "Enable Kerberos logging for " & strDC

15.5.3 Discussion

If you are experiencing authentication problems or would like to determine whether you are experiencing any Kerberos-related issues, enabling Kerberos logging will cause Kerberos errors to be logged in the System event log. The Kerberos events can point out if the problem is related to clock skew, an expired ticket, expired password, etc. For a good overview of some of the Kerberos error messages, see MS KB 230476.

Here is an example event:

Event Type:        Error Event Source:        Kerberos Event Category:        None Event ID:        3 Date:                5/26/2003 Time:                5:53:43 PM User:                N/A Computer:        DC01 Description: A Kerberos Error Message was received:          on logon session   Client Time:   Server Time: 0:53:43.0000 5/27/2003 Z  Error Code: 0xd KDC_ERR_BADOPTION  Extended Error: 0xc00000bb KLIN(0)  Client Realm:   Client Name:   Server Realm: RALLENCORP.COM  Server Name: host/ dc01.rallencorp.com  Target Name: host/dc01.rallencorp.com@RALLENCORP.COM  Error Text:   File: 9  Line: ab8  Error Data is in record data.

15.5.4 See Also

MS KB 230476 (Description of Common Kerberos-Related Errors in Windows 2000) and MS KB 262177 (HOW TO: Enable Kerberos Event Logging)



Active Directory Cookbook
Active Directory Cookbook, 3rd Edition
ISBN: 0596521103
EAN: 2147483647
Year: 2006
Pages: 456

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net