Compartilhar via


Kerberos Authentication Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Kerberos Authentication Tools and Settings

In this section

  • Kerberos Protocol Tools

  • Kerberos Protocol Registry Settings

  • Kerberos Authentication Group Policy Settings

  • Network Ports Used by the Kerberos V5 Protocol

Kerberos Protocol Tools

The following tools are associated with administering and troubleshooting the Kerberos version 5 authentication protocol.

Domain.msc: Active Directory Domains and Trusts

Category

Active Directory Domains and Trusts is an MMC snap-in that is installed automatically on computers running Windows Server 2003 when you install Active Directory. You can also use this tool on non-domain controllers by installing the Windows Server 2003 Administration Tools pack. You can start Active Directory Domains and Trusts in the following way: Click Start, then click Programs,then click Administrative Tools, and then click Active Directory Domains and Trusts.

Version compatibility

This tool is compatible with domain controllers running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition. You can also use Active Directory Domains and Trusts with the Windows Server 2003 Administration Tools pack to remotely administer Active Directory from a computer that is not a domain controller, such as a computer running Windows XP Professional. You can use this tool to target any domain controller in either Windows 2000 Server or Windows Server 2003 domains.

Note

  • When using Windows Server 2003 Active Directory administrative tools to connect to a domain controller running Windows 2000, you must first be sure that the Windows 2000–based domain controller to which you are connecting has Service Pack 3 or later installed. This is because Windows Server 2003 administrative tools sign and encrypt all Lightweight Directory Access Protocol (LDAP) traffic by default.

Active Directory Domains and Trusts provides a graphical interface in which you can view all domains in the forest. Using this tool, an administrator can manage each of the domains in the forest, trust relationships between domains, configure the functional level for each domain or forest, and configure the alternative user principal name (UPN) suffixes for a forest.

Active Directory Domains and Trusts can be used to create, view, and modify most trust-related tasks. It can be used to target all Active Directory domain controllers and can verify all Active Directory trust types. Trust verification takes place between two domains by enumerating all of the domain controllers in each domain. If you choose to have Active Directory Domains and Trusts create both sides of the trust at once, the trust password is automatically generated.

You can find more information about Active Directory Domains and Trusts on Microsoft TechNet.

Dsa.msc: Active Directory Users and Computers

Category

Active Directory Users and Computers is a Microsoft Management Console (MMC) snap-in that is automatically installed when you install Active Directory. Dsa.msc is also included with the Administration Tools Pack (Adminpak.msi).

You can access the tool from the Start menu: Click Start, click Programs,click Administrative Tools, and then click Active Directory Users and Computers.

Version compatibility

Active Directory Users and Computers runs on domain controllers that are running Windows Server 2003 or Windows 2000. In both of these server systems, MMC provides a window in the user interface where you can add, configure, and control items. Active Directory Users and Computers is the MMC tool that you can use to administer and publish information in the directory.

The Windows Server 2003 version of Active Directory Users and Computers can target domain controllers that are running Windows Server 2003 or Windows 2000.

On administrative workstations that are running Windows XP Professional or Windows 2000, you can install the Windows Server 2003 Administration Tools Pack (Adminpak.msi) from the i386 folder on the Windows Server 2003 CD. This version of the Administration Tools Pack encrypts and signs LDAP traffic between the administrative tool clients and domain controllers.

Note

  • You cannot run the Windows Server 2003 Administration Tools Pack (Adminpak.msi) on a computer that is running Windows XP Professional, Windows XP Home Edition, or Windows XP 64-Bit Edition Version 2003 without Windows XP Service Pack 1 (SP1).

You can use Active Directory Users and Computers to manage the following properties associated with objects. Your managing the properties will affect Kerberos V5 authentication for these objects.

Active Directory Users and Computers Object Management

Property Changes That Affect Kerberos V5 Authentication

Computer objects

Trust computer for delegation

The service can impersonate a user to use other network services. Allows services running as local system to request services from other services.

Computer objects delegation tab options

(This tab will only appear in domains with Windows Server 2003 Functional Level.)

Do not trust this computer for delegation

Trust this computer for delegation to any service (Kerberos only)

Not recommended. This enables unconstrained delegation.

Trust this computer for delegation to specified services only

  • Use Kerberos only: Enables constrained delegation without protocol transition.

  • Use any authentication protocol: Enables constrained delegation with protocol transition

User or service objects account tab options

Account is trusted for delegation

The account is enabled for delegation. This is a security-sensitive setting. Accounts with this option enabled should be tightly controlled. This setting enables a service that runs under the account to assume a client’s identity and authenticate as that user to remote servers on the network.

Account is sensitive and cannot be delegated

When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.

Use DES encryption types for this account

Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys. If a user account is configured to use DES encryption, a Windows 2000, Windows XP, or Windows Server 2003–based client requests a ticket-granting ticket (TGT) by using the DES-CBC-MD5 encryption type.

Do not require Kerberos pre-authentication

Overrides the default setting that the KDC requires all accounts to use pre-authentication. The default setting makes offline password-guessing attacks very difficult. You can choose to override the default setting for individual accounts when necessary for compatibility with other implementations of the protocol.

User or service objects delegation tab options

(This tab will only appear on accounts with registered SPNs in domains with Windows Server 2003 Functional Level.)

Do not trust this user for delegation

 

Trust this user for delegation to any service (Kerberos only)

Not recommended. This enables unconstrained delegation.

Trust this user for delegation to specified services only

  • Use Kerberos only: Enables constrained delegation without protocol transition.

  • Use any authentication protocol: Enables constrained delegation with protocol transition.

You can find more information about Active Directory Users and Computers on Microsoft TechNet.

Eventvwr.msc: Event Viewer

Category

Event Viewer is included in Windows Server 2003, Windows XP, and Windows 2000.

Version compatibility

Event Viewer is supported for Windows Server 2003, Windows XP, and Windows 2000.

The system and security logs contain Kerberos error codes and other events related to authentication.

The following table lists event IDs and information that can be associated with Kerberos authentication. An event log contains only relevant event information. For example, only failure audits have Kerberos error codes; smartcard logons have certificate information.

Security Log Events That Might Contain Kerberos Error Codes

Event ID Account Logon Event Type Event Information Potentially Associated with Kerberos Authentication

672

  • Success audit (Windows 2000 and Windows Server 2003)

  • Failure audit (Windows Server 2003)

Authentication Ticket Request:

  • User Name

  • Supplied Realm Name

  • User ID

  • Service Name

  • Service ID

  • Ticket Options

  • Result Code: Kerberos error code

  • Ticket Encryption Type

  • Pre-Authentication Type

  • Client Address

  • Certificate Issuer Name

  • Certificate Serial Number

  • Certificate Thumbprint

673

  • Success audit (Windows 2000 and Windows Server 2003)

  • Failure audit (Windows Server 2003)

Service Ticket Request:

  • User Name

  • User Domain

  • Service Name

  • Service ID

  • Ticket Options

  • Ticket Encryption Type

  • Client Address

  • Failure Code: Kerberos Error Code

  • Logon GUID

  • Transited Services

675

  • Failure audit

Pre-authentication Failed:

  • User Name

  • User ID

  • Service Name

  • Pre-authentication Type

  • Failure Code: Kerberos error code

  • Client Address

676

  • Failure audit (Obsolete in Windows Server 2003; both success and failure audits use event ID 672.)

Authentication Ticket Request Failed:

  • User Name

  • Supplied Realm Name

  • Service Name

  • Ticket Options

  • Failure Code: Kerberos error code

  • Client Address

677

  • Failure audit (Obsolete in Windows Server 2003; both success and failure audits use event ID 673.)

Service Ticket Request Failed:

  • User Name

  • User Domain

  • Service Name

  • Ticket Options

  • Failure Code: Kerberos error code

  • Client Address

Kerberos V5 Authentication Protocol Error Messages Generated by Windows Server 2003

Kerberos Error Number Kerberos Error Code Description

0x3

KDC_ERR_BAD_PVNO

Requested protocol version number not supported.

0x6

KDC_ERR_C_PRINCIPAL_UNKNOWN

Client not found in Kerberos database.

0x7

KDC_ERR_S_PRINCIPAL_UNKNOWN

Server not found in Kerberos database.

0x8

KDC_ERR_PRINCIPAL_NOT_UNIQUE

Multiple principal entries in database.

0xA

KDC_ERR_CANNOT_POSTDATE

Ticket not eligible for postdating.

0xB

KDC_ERR_NEVER_VALID

Requested start time is later than end time.

0xC

KDC_ERR_POLICY

KDC policy rejects request.

0xD

KDC_ERR_BADOPTION

KDC cannot accommodate requested option.

0xE

KDC_ERR_ETYPE_NOSUPP

KDC has no support for encryption type.

0xF

KDC_ERR_SUMTYPE_NOSUPP

KDC has no support for checksum type.

0x10

KDC_ERR_PADATA_TYPE_NOSUPP

KDC has no support for pre-authentication data type.

0x12

KDC_ERR_CLIENT_REVOKED

Client’s credentials have been revoked.

0x17

KDC_ERR_KEY_EXPIRED

Password has expired - change password to reset.

0x18

KDC_ERR_PREAUTH_FAILED

Pre-authentication information was invalid.

0x19

KDC_ERR_PREAUTH_REQUIRED

Additional pre-authentication required.

0x1B

KDC_ERR_MUST_USE_USER2USER

Server principal valid for user-to-user only.

0x1C

KDC_ERR_PATH_NOT_ACCPETED

KDC Policy rejects transited path.

0x1D

KDC_ERR_SVC_UNAVAILABLE

A service is not available.

0x1F

KRB_AP_ERR_BAD_INTEGRITY

Integrity check on decrypted field failed.

0x20

KRB_AP_ERR_TKT_EXPIRED

Ticket expired.

0x21

KRB_AP_ERR_TKT_NYV

Ticket not yet valid.

0x22

KRB_AP_ERR_REPEAT

Request is a replay.

0x23

KRB_AP_ERR_NOT_US

The ticket isn’t for us.

0x24

KRB_AP_ERR_BADMATCH

Ticket and authenticator do not match.

0x25

KRB_AP_ERR_SKEW

Clock skew too great.

0x28

KRB_AP_ERR_MSG_TYPE

Invalid message type.

0x29

KRB_AP_ERR_MODIFIED

Message stream modified.

0x34

KRB_ERR_RESPONSE_TOO_BIG

Response too big for UDP, retry with TCP.

0x3C

KRB_ERR_GENERIC

Generic error (description in e-text).

0x44

KDC_ERR_WRONG_REALM

User-to-user TGT issued different KDC.

To find more information about “Event Viewer”, see “Event Viewer” on Microsoft TechNet.

Kerbtray.exe: Kerberos Tray

Category

Kerberos Tray is included in the Windows Server 2003 Resource Kit and the Windows 2000 Resource Kit.

Version compatibility

Kerberos Tray is supported for Windows Server 2003, Windows XP, and Windows 2000.

Kerberos Tray is a graphical user interface tool that displays ticket information for a computer running Microsoft’s implementation of the Kerberos version 5 authentication protocol.

You can view and purge the ticket cache by using the Kerberos Tray tool icon located in the notification area of the desktop. By positioning the cursor over the icon, you can view the time left until the initial ticket-granting ticket (TGT) expires. The icon also changes in the hour before the Local Security Authority (LSA) renews the ticket.

To find more information about Kerberos Tray, see “Windows Server 2003 Resource Kit Tools Help in the Tools and Settings Collection.”

Klist.exe: Kerberos List

Category

Kerberos List is included in the Windows Server 2003 Resource Kit and the Windows 2000 Resource Kit.

Version compatibility

Kerberos List is supported for Windows Server 2003, Windows XP, and Windows 2000.

Kerberos List is a command-line tool that is used to view and delete Kerberos tickets granted to the current logon session. To use Kerberos List to view tickets, you must run the tool on a computer that is a member of a Kerberos realm.

When Kerberos List is run from a client, it shows the:

  • Ticket-granting ticket (TGT) to a Kerberos Key Distribution Center (KDC) in Windows.

  • Ticket-granting ticket (TGT) to Ksserver on UNIX.

Parameters

Kerberos List uses the following syntax:

klist [tickets | tgt | purge] [-?]
Tickets

Lists the current cached tickets of services to which you have authenticated since logging on. Displays the following attributes of all cached tickets:

Option Description

End Time

Time at which that the ticket becomes invalid. After a ticket is past this time, it cannot be used to authenticate to a service.

KerbTicket Encryption Type

Encryption type used to encrypt the Kerberos ticket.

Renew Time

Maximum lifetime of a renewable ticket (see TicketFlags in the table below). To continue using this ticket, you must renew it before reaching the established End Time and before the expiration date established in RenewUntil.

Server

Server and domain for the ticket.

tgt

Lists the initial Kerberos ticket-granting ticket (TGT). Displays the following attributes of the currently cached ticket:

Option Description

AltTargetDomainName

Name supplied to InitializeSecurityContext that generated this ticket, typically a service principal name (SPN).

DomainName

Domain name of the service.

End Time

Time when the ticket becomes invalid. When a ticket is past the end time, it cannot be used to authenticate to a service.

FullServiceName

Canonical name of the account principal for the service.

KeyExpirationTime

Expiration time from the KDC reply.

RenewUntil Maximum lifetime of a renewable ticket (see TicketFlags)

To continue using a ticket, you must renew it. Tickets must be renewed before the expiration time set in End Time and in RenewUntil.

ServiceName

A TGT is a ticket for the Key Distribution Center (KDC) service. The service name for a TGT is “krbtgt.”

Start time

Time when the ticket becomes valid.

TargetDomainName

For a cross-realm ticket, this is the realm, rather than the issuing realm, in which the ticket is good.

TargetName

Service name for which the ticket was requested. This is the name of a servicePrincipalName property on an account in the directory.

TicketFlags

Kerberos ticket flags set on the current ticket in hexadecimal. Kerberos Tray displays these flags on the Flags tab.

TimeSkew

The reported time difference between the client computer and the server computer for a ticket.

purge

Will list each ticket and enables you to delete specific tickets. When you choose Yes to a ticket, then purge tickets destroys the ticket that you have cached, so use this with caution. It might stop you from being able to authenticate to resources. If this happens, you must log off and then log on again.

-?

Displays command-line help.

To find more information about Kerberos List, see “Windows Server 2003 Resource Kit Tools Help” in the Tools and Settings Collection.

Ksetup.exe: Kerberos Setup

Category

Kerberos Setup is included in the Windows Server 2003 Support Tools.

Version compatibility

Kerberos Setup is supported for Windows Server 2003.

Kerberos Setup is a command-line tool you can use to configure Windows for Kerberos V5 interoperability. Kerberos Setup configures a client connected to a server running Windows Server 2003 to use a server running the Kerberos V5 authentication protocol. After Kerberos Setup configures the client, the client then uses a Kerberos V5 realm instead of a Windows Server 2003 domain. This provides a single sign-on to the Key Distribution Center (KDC) and a local client account connected to a computer running Windows Server 2003.

Administrators can use Kerberos Setup to:

  • Set up a realm entry for a Kerberos V5 realm.

  • Set up a list of KDCs for the Kerberos V5 realm for which you set up a realm entry.

  • Set up a kpasswd server for the Kerberos V5 realm for which you set up a realm entry.

  • Set up local account to Kerberos V5 account mappings.

  • Set the computer’s password in the Kerberos realm.

  • Change a user’s password in a Kerberos V5 realm.

To find more information about Kerberos Setup, see “Support Tools Help” in the Tools and Settings Collection.

Ktpass.exe: Kerberos Keytab Setup

Category

Kerberos Keytab Setup is included in the Windows Server 2003 Support Tools.

Version compatibility

Kerberos Keytab Setup is supported for Windows Server 2003.

Kerberos Keytab Setup is a command-line tool that enables an administrator to configure a non-Windows Kerberos service as a security principal in the Windows Server 2003 Active Directory. Kerberos Keytab Setup configures the server principal name for the host or service in Active Directory and generates an MIT-style Kerberos keytab file containing the shared secret key of the service. The tool enables non-Windows brand operating system services that support Kerberos authentication to use the interoperability features provided by the Kerberos KDC service that runs on Windows Server 2003.

To find more information about Kerberos Keytab Setup, see “Support Tools Help” in the Tools and Settings Collection.

Netdom.exe: Windows Domain Manager

Category

Windows Domain Manager is included in Windows Server 2003, Windows 2000, and the Windows Server 2003 Administration Tools Pack (Adminpak.msi).

Version compatibility

Windows Domain Manager is supported for Windows Server 2003, Windows XP, and Windows 2000.

On administrative workstations that are running Windows XP Professional, you can install the Windows Server 2003 Administration Tools Pack (Adminpak.msi) from the i386 directory on the Windows Server 2003 CD. Please see the note in the Active Directory Users and Computers subsection above regarding the Administration Tools Pack.

The Windows Server 2003 version of Windows Domain Manager can target domain controllers that are running Windows Server 2003 or Windows 2000.

This tool enables you to manage Active Directory domains and trust relationships from the command line.

Functions of Windows Domain Manager that relate to Kerberos authentication include:

  • Establishing one-way or two-way trust relationships between domains, such as:

    • From an Active Directory domain to an Active Directory domain in another enterprise (also know as an uplevel external trust).

    • Between two Active Directory domains in an enterprise (a shortcut trust).

    • The Windows Server 2003 or Windows 2000 Server half of an interoperable Kerberos realm.

  • Managing trust relationships between domains, including:

    • Enumerating direct and indirect trust relationships.

    • Viewing and changing some attributes on a trust — for example, transitivity to non-Windows Kerberos realms.

To find more information about Windows Domain Manager, see “Support Tools Help” in the Tools and Settings Collection.

Netmon.exe: Network Monitor

Category

A limited version of Network Monitor is included in Windows Server 2003, Windows XP, and Windows 2000. The full version of Network Monitor is included with Microsoft Systems Management Server.

Version compatibility

Network Monitor is supported for Windows Server 2003, Windows XP, and Windows 2000.

Network Monitor enables you to capture network traces which can be used in troubleshooting most network issues.

Setspn.exe: Manipulate Service Principal Names for Accounts

Category

Setspn is included in the Windows Server 2003 Support Tools.

Version compatibility

Setspn is supported for Windows Server 2003 and Windows XP Professional.

This command-line tool sets service principal names. SPNs are used to locate a target principal name for running a service. Because SPNs are security-sensitive, SPNs can only be set for user objects if you have domain administrator credentials.

It is not usually necessary to modify SPNs. They are set up by a computer when it joins a domain and when services are installed on the computer. In some cases, however, this information can become stale. For example, if the computer name is changed, the SPNs for installed services would need to be changed to match the new computer name. Also, some services and applications might require manual modification of a service account’s SPN information to correctly authenticate.

Domain administrators can use Setspn to:

  • View the current SPNs.

  • Reset the account’s default SPNs.

  • Add SPNs.

  • Delete supplemental SPNs.

To find more information about Setspn, see “Support Tools Help” in the Tools and Settings Collection.

Kerberos Protocol Registry Settings

Registry settings in the following hives are associated with the Kerberos protocol:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\UserList

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as MMC to accomplish tasks. If you must edit the registry, use extreme caution.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains

The Domains subkey stores information about non-Windows Kerberos realms.

To change the value of the entries in this subkey, use Kerberos Setup (Ksetup.exe), a tool included in Windows Server 2003 Support Tools. Do not use the registry editor.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm

This subkey stores Host to Realm mapping information. The subkey does not exist in the registry by default.

SpnMappings

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm

Version

Windows Server 2003 and Windows XP

This entry is used to create a HostToRealm mapping table.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

The Parameters subkey stores configuration options for the Kerberos V5 authentication protocol in Windows Server 2003.

AllowTgtSessionKey

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003, Windows XP, and Windows 2000

This entry controls whether session keys are exported with initial or cross-realm TGTs. This entry does not exist in the registry by default. The default value is false due to security concerns.

CacheS4UTickets

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003

This entry enables and disables Service-for-User (S4U) caching. This entry does not exist in the registry by default. The default value is true.

ClientIpAddresses

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003, Windows XP, and Windows 2000

This entry controls adding IP addresses in KRB_AS_REQ, thus forcing the Caddr field to contain IP addresses in all tickets. This entry does not exist in the registry by default. The default value is false, due to potential DHCP client and network address translation (NAT) issues.

DefaultEncryptionType

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003, Windows XP, and Windows 2000

This entry controls the default encryption type for PreAuth. This entry does not exist in the registry by default. The default value is KERB_ETYPE_RC4_HMAC_NT.

FarKdcTimeout

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003, Windows XP, and Windows 2000

This entry controls the time-out interval, in minutes, that is used to invalidate a domain controller from a different site in the domain controller cache. This entry does not exist in the registry by default. The default value is 10 minutes.

KdcBackoffTime

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003, Windows XP, and Windows 2000

This entry specifies a time value, in seconds, between successive calls to the Key Distribution Center (KDC) if the previous call failed. This entry does not exist in the registry by default. The default value is 5 seconds.

KdcSendRetries

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003, Windows XP, and Windows 2000

This entry controls the number of retry attempts that a client makes in order to contact a KDC. This entry does not exist in the registry by default. The default value is 3.

KdcWaitTime

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003, Windows XP, and Windows 2000

This entry specifies a time value, in seconds, that is used to time out the Winsock calls. This entry does not exist in the registry by default. The default value is 5 seconds.

KerbDebugLevel

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003, Windows XP, and Windows 2000

This entry controls the verboseness level of debug log macros. This entry does not exist in the registry by default. The default value is 0, which is no logging; however, if you are using a checked build, the default value is 1, which is error logging.

Common Debug Values

Verboseness Level Value

Error s

0x00000001

Warnings

0x00000002

Tracing

0x00000004

API tracing

0x00000008

Credential related tracing

0x00000010

Security Context tracing

0x00000020

Logon Session tracing

0x00000040

Logon tracing

0x00000100

KDC tracing

0x00000200

Detailed Security Context tracing

0x00000400

Time related tracing

0x00000800

User related tracing

0x00001000

Leak related tracing

0x00002000

WinSock related tracing

0x00004000

SPN cache tracing

0x00008000

S4U Errors

0x00010000

S4U tracing

0x00020000

Loopback tracing

0x00080000

Ticket renewal tracing

0x00100000

User to User tracing

0x00200000

Locks tracing

0x01000000

LogLevel

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003, Windows XP, and Windows 2000

If this entry is set to anything non-zero, all Kerberos errors are logged in the system event log. This entry does not exist in the registry by default. The default value is 0.

LogToFile

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003, Windows XP, and Windows 2000

This entry enables debug tracing and logging to a file. This entry does not exist in the registry by default. The default value is false.

MaxPacketSize

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003, Windows XP, and Windows 2000

This entry controls the maximum size, in bytes, for using User Datagram Protocol (UDP). If the packet size is bigger than this value, TCP is used. This entry does not exist in the registry by default. The default value is 1465 bytes.

MaxReferralCount

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003, Windows XP, and Windows 2000

This entry specifies the number of KDC referrals that a client pursues before the client gives up. This entry does not exist in the registry by default. The default value is 3.

MaxTokenSize

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003, Windows XP, and Windows 2000

This entry specifies the maximum value, in bytes, of the Kerberos token size. Use this entry to allow query context attributes to be modified to return a value large enough for tickets containing large numbers of groups. It is recommended that this value remain less than 65,000. This entry does not exist in the registry by default. The default value is 12,000 bytes.

NearKdcTimeout

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003, Windows XP, and Windows 2000

This entry specifies the time-out interval, in minutes, that is used to invalidate a domain controller in the same site in the domain controller cache. This entry does not exist in the registry by default. The default value is 30 minutes.

RequestOptions

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003 and Windows XP

This entry indicates whether there are additional options that must be sent as KDC options in ticket-granting service (TGS) requests (KRB_TGS_REQ). This entry is meant to accommodate future modifications to the KDC options and can be any RFC 1510 value. This entry does not exist in the registry by default. The default value is 0x10000.

RetryPDC

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003

This entry controls whether the primary domain controller (PDC) will be contacted for password-expiry errors for KRB_AS_REQ. This entry does not exist in the registry by default. The default value is false.

S4UCacheTimeout

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003

This entry controls the lifetime, in minutes, of the S4U negative cache entries, which are used to restrict how many S4U proxy requests are made from a specific computer. This entry does not exist in the registry by default. The default value is 15 minutes.

S4UTicketLifetime

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003

This entry controls the lifetime, in minutes, of tickets obtained by S4U proxy requests. This entry does not exist in the registry by default. The default value is 15 minutes.

SkewTime

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003

This entry controls the maximum time difference, in minutes, that is permitted between server, client, and KDC. This entry does not exist in the registry by default. The default value is 5 minutes.

SpnCacheTimeout

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003 and Windows XP

This entry specifies the lifetime, in minutes, of the service principal name (SPN) cache entries. This entry does not exist in the registry by default. The default value is 15 minutes.

StartupTime

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003, Windows XP, and Windows 2000

This entry specifies the time, in seconds, that Windows waits for the KDC to start before Windows gives up. This entry does not exist in the registry by default. The default value is 120 seconds.

TgtRenewalTime

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Version

Windows Server 2003

This entry controls the amount of time, in seconds, that a Kerberos client waits before it tries to renew a TGT before the ticket expires. Only applies to initial TGTs. This entry does not exist in the registry by default. The default value is 600 seconds.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\UserList

The UserList subkey stores entries that associate a Kerberos security principal to a local Windows Server 2003 user account.

Computers that are running Windows Server 2003 can use another KDC — instead of a KDC in an Active Directory domain — to administer authentication. For ease of use, you can map a Kerberos security principal, such as the name of a principal or a realm, to a local Windows user account.

This subkey stores mappings that you enter when you use the /MapUser parameter with Kerberos Setup (Ksetup.exe), a tool that is included in Windows Server 2003 Support Tools. Ksetup.exe adds the entries to the registry.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System

This subkey stores the event log configuration information.

Kerberos

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System

Version

Windows Server 2003, Windows XP, and Windows 2000

The Kerberos subkey stores configuration information for Event Viewer about the log sources specified by the Kerberos protocol in the registry path. The configuration information tells Event Viewer where to find and how to display Kerberos authentication-related events. Event Viewer displays those events as part of the log specified by the system-log name in the registry path.

Sources

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System

Version

Windows Server 2003, Windows XP, and Windows 2000

The Sources entry specifies that Kerberos writes events to this log.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

This subkey stores KDC configuration information.

ExistingConnectionTimeout

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

Version

Windows Server 2003 and Windows 2000

This entry controls the time-out, in seconds, for input/outputs (I/Os) on this context until the first byte of data is received. This entry does not exist in the registry by default. The default value is 60 seconds.

KdcDebugLevel

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

Version

Windows Server 2003

This entry controls the verboseness level of debug log macros. This entry does not exist in the registry by default. The default value is 0, which is no logging; however, if you are using a checked build, the default value is 1, which is error logging.

Common Debug Values

Verboseness Level Value

Error s

0x00000001

Warnings

0x00000002

Tracing

0x00000004

API tracing

0x00000008

Credential related tracing

0x00000010

Security Context tracing

0x00000020

Logon Session tracing

0x00000040

Logon tracing

0x00000100

KDC tracing

0x00000200

Detailed Security Context tracing

0x00000400

Time related tracing

0x00000800

User related tracing

0x00001000

Leak related tracing

0x00002000

WinSock related tracing

0x00004000

SPN cache tracing

0x00008000

S4U Errors

0x00010000

S4U tracing

0x00020000

Loopback tracing

0x00080000

Ticket renewal tracing

0x00100000

User to User tracing

0x00200000

Locks tracing

0x01000000

Use Extended Errors

0x10000000

KdcDontCheckAddresses

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

Version

Windows Server 2003

This entry controls whether the KDC checks if the client IP addresses match one of the IP addresses in the TGT Caddr field.

  • If the entry does not exist or if DWORD = 0, client addresses are checked.

  • If DWORD = 1, client addresses are not checked.

The client must send the IP address in the KRB_TGS_REQ, which is not done by default in Windows operating systems. To enable sending IP addresses as a Kerberos client, see “ClientIpAddresses” earlier in this guide. This entry does not exist in the registry by default. The default value is true due to potential DHCP and NAT issues.

KdcExtraLogLevel

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

Version

Windows Server 2003

This entry controls extra KDC logging in event logs and audits. This entry does not exist in the registry by default. The default value is 2.

Extra KDC Log Levels

Log Level Value

Audit SPN unknown errors

0x1

Log detailed PKINIT1 errors

0x2

Log all KDC errors with KLIN information

0x4

1 PKINIT is an Internet Engineering Task Force (IETF) Internet draft for “Public key Cryptography for Initial Authentication in Kerberos.”

KdcIssueForwardedTickets

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

Version

Windows Server 2003

This entry controls whether the KDC issues forwarded tickets. This entry does not exist in the registry by default. The default value is true.

KdcUseClientAddresses

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

Version

Windows Server 2003

This entry controls whether the KDC accepts client IP addresses in the KRB_AS_REQ:

  • If the entry does not exist or if DWORD = 0, client IP addresses are not accepted.

  • If DWORD = 1, client IP addresses are accepted.

In order for the KDC to propagate the client IP addresses, the client must send them in the KRB_TGS_REQ, which does not occur by default in Windows operating systems. To enable sending IP addresses as a Kerberos client, see “ClientIpAddresses” earlier in this guide. This entry does not exist in the registry by default. The default value is false due to potential DHCP and NAT issues.

KdcUseRequestedEtypesForTickets

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

Version

Windows Server 2003

This entry controls whether the encryption type for the service ticket is:

  • The first encryption type in the requested encryption types, if true.

  • The strongest encryption type that the server supports, if false.

This entry does not exist in the registry by default. The default value is false.

MaxDatagramReplySize

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

Version

Windows Server 2003

This entry controls the maximum size, in bytes, of a UDP packet for the KRB_TGS_REP and KRB_AS_REP, before the KDC returns a KRB_ERR_RESPONSE_TOO_BIG error, which requires the client to change to TCP. This entry does not exist in the registry by default. The default value is 1465 bytes.

Kerberos Authentication Group Policy Settings

The following table lists and describes the Group Policy settings that are associated with Kerberos V5 Authentication.

Group Policy Settings Associated with Kerberos V5 Authentication

Group Policy Setting Description

User Rights Assignment:

 

Impersonate a client after authentication

Windows 2000 security setting that was first introduced in SP4 for Windows 2000. When you assign this user right to a user, you permit programs that run on behalf of that user to impersonate a client. This security setting helps to prevent unauthorized servers from impersonating clients that connect to it through methods such as remote procedure calls (RPC) or named pipes.

By default, members of the Administrators group and the System account are assigned this user right. The following components also are assigned this user right:

  • Services that are started by the Service Control Manager

  • Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account

Kerberos Policy:

 

Enforce user logon restrictions

Determines whether the KDC validates every request for a session ticket against the user rights policy on the target computer. When this policy is enabled, the user requesting the session ticket must have the right either to Log on locally or to Access this computer from network. Validation of each request is optional because the extra step takes time and might slow network access to services. By default, this policy is enabled.

Maximum lifetime for service ticket

Determines the maximum amount of time (in minutes) that a ticket granted for a service (that is, a session ticket) can be used to access the service. If the setting is zero minutes, the ticket never expires. Otherwise, the setting must be greater than ten minutes and less than the setting for Maximum lifetime for user ticket. By default, the setting is 600 minutes (10 hours).

Maximum lifetime for user ticket

Determines the maximum amount of time (in hours) that a user’s TGT can be used. When a user’s TGT expires, a new one must be requested or the existing one must be renewed. By default, the setting is ten hours.

Maximum lifetime for user ticket renewal

Determines the longest period of time (in days) that a TGT can be used if it is repeatedly renewed. By default, the setting is seven days.

Maximum tolerance for computer clock synchronization

Determines the maximum difference (in minutes) that Kerberos will tolerate between the time on a client’s clock and the time on a server’s clock while still considering the two clocks synchronous. By default, the setting is five minutes.

For more information about these Group Policy settings, see “Account Policy Settings.”

Network Ports Used by the Kerberos V5 Protocol

Network Ports Used During Kerberos Authentication

Service Name UDP TCP

DNS

53

53

Kerberos

88

88