This week will be a short tip about how to enable Kerberos logging. As per KB262177 (How to enable Kerberos event logging), Kerberos logging can be enabled by creating the following registry key:
- Registry Value: LogLevel
Value Type: REG_DWORD
Value Data: 0x1
To disable it, simply delete the value or set it to 0. After enabling the logging you will receive Kerberos error event entries in the System event log. The setting will become effective immediately on Windows Server 2008, on Windows Vista, on Windows Server 2003, and on Windows XP. For Windows 2000, you must restart the computer.
When searching for Kerberos debug options, the registry keys “KerbDebugLevel” and “LogToFile” (also below the Lsa\Kerberos\Parameters hive) might come up. It is to my understanding that these do not have any effect on Windows 2008 and up. I asked this a while back on ActiveDir.org: Kerberos debug logging on Windows 2008
What events will be logged? The following is a short summary of the most common entries:
- KDC_ERR_PRINCIPAL_UNKNOWN: SPN not registered in AD, or service is being accessed under the wrong name
- KDC_ERR_PREAUTH_FAILED: can be safely ignored, is due to the way Kerberos works and how some Kerberos client compose their first request
- KRB_AP_ER_MODIFIED: bad error! someone is presenting a ticket for a service to a service while the ticket was encrypted with an account not responsible for the service. Wow what a line, bottom line: authentication is failing, no fallback to NTLM either!
This MS document is a reference for the above (and other errors), contains many useful troubleshooting hints: Troubleshooting Kerberos Errors