15.5. Enabling Kerberos Logging
Problem
You want to enable Kerberos logging on a domain controller to troubleshoot authentication problems.
Solution
Using a graphical user interface
Run
regedit.exe
from the command line or Start → Run.In the left pane, expand HKEY_LOCAL_MACHINE → System → CurrentControlSet → Control → Lsa → Kerberos → Parameters.
If the LogLevel value doesn’t already exist, right-click on Parameters and select New → DWORD value. Enter LogLevel for the value name and click OK.
In the right pane, double-click on LogLevel and enter 1.
Click OK.
Using a command-line interface
> reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v "LogLevel"[RETURN]
/t REG_DWORD /d 1
Using VBScript
' This code enables Kerberos logging for the specified domain controller
' ------ SCRIPT CONFIGURATION ------
strDC = "<DomainControllerName
>" ' e.g. dc01
' ------ END CONFIGURATION ---------
const HKLM = &H80000002
strRegKey = "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"
set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv")
objReg.SetDwordValue HKLM, strRegKey, "LogLevel", 1
WScript.Echo "Enable Kerberos logging for " & strDC
Discussion
If you are experiencing authentication problems or would like to determine whether you are experiencing any Kerberos-related issues, enabling Kerberos logging will cause Kerberos errors to be logged in the System event log. The Kerberos events can point out if the problem is related to clock skew, an expired ticket, ...
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.