JSI Tip 8177. What registry values can I use to troubleshoot Kerberos authentication in Windows Server 2003?

NOTE: When you finished troubleshooting, remove any Value Names you added, as they can cause performance issues.

The Following Value Names are located under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters key. They are all REG_DWORD data types, except for the StronglyEncryptDatagram Value Name, which is a REG_BOOL data type:

Value Name D e s c r i p t i o n
SkewTime The maximum difference between client and server time permitted. The default is 5 minutes.
LogLevel Any non-zero value logs Kerberos vents in the System event log.
MaxPacketSize The maximum UDP packet size. When exceeded, TCP/IP is used. The default is 1465 bytes.
StartupTime How long Windows waits for the KDC to start before giving up. The default is 120 seconds.
KdcWaitTime How long Windows waits for a response from a KDC. The default is 10 seconds.
KdcBackoffTime Windows waits KdcBackoffTime seconds to call the KDC if the previous call failed. The default is 3 seconds.
KdcSendRetries The number of times that a client will attempt to contact the KDC. The default is 3.
DefaultEncryptionType The default is decimal 23 for the pre-authorization encryption type.
FarKdcTimeout How long before flushing a domain controller from a different site from the cache. The default is 10 minutes.
NearKdcTimeout How long before flushing a domain controller from the same site from the cache. The default is 30 minutes.
StronglyEncryptDatagram Should 128-bit encrytion be used for datagram packets. This REG_BOOL data type defaults to FALSE.
MaxReferralCount The number of KDC referrals that a client pursues before giving up. The default is 6.
KerbDebugLevel Debug logging is enabled. A Free build is 0. A Checked build is 1.
MaxTokenSize The maximum value of a Kerberos token. The default is 12,000 and Microsoft recommends is remain less than 50,000.
SpnCacheTimeout The lifetime of the Service Principal Names cache entries. The SPN cache is disabled on domain controllers.
S4UCacheTimeout The lifetime of the S4U negative cache entryies that restrict the number of S4U proxy requests from a computer. The default is 15 minutes.
S4UTicketLifetime The lifetime of tickets that are obtained by S4U proxy requests. The default is 15 minutes.
RetryPdc If true, the client will contact the PDC for AS-REQ (Authentication Service Requests) if it receives a password expired error. The default is 0, false, and any non-zero data value is true.
RequestOptions Additional options that must be sent as KDC options in the Ticket Granting Service requests.
ClientIpAddress Should the client IP address be added in AS_REG to force Caddr to contain IP address in all tickets? The default is 0, false, because of DHCP and NAT issues. Any non-zero value is is true.
TgtRenewalTime How long should Kerberos wait before it tries to renew a TGT (Ticket Granting Ticket) before the ticket expires. The default is 600 seconds.
AllowTgtSessionKey Should session keys be exported. The default is 0, false, for security concerns. Any non-zero value is true.

The Following Value Names are located under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc key. They are all REG_DWORD data types.

Value Name D e s c r i p t i o n
KdcUseClientAddresses If 0, the default, IP addresses will NOT be addes in the TGS_REP (Ticket-Granting Service Reply). Any non-zero value is true.
KdcDontCheckAddresses Should IP addresses for the TGS_REQ and the TGT Caddr field will be checked. The default is 0, false. Any non-zero value is true.
NewConnectionTimeout How long should an initial TCP endpoint connection be kept open to receive data? The default is 50 seconds.
MaxDatagramReplySize The maximum TGS_REP and AS_REP UDP packet size. If exceeded, the KDC returns KRB_ERR_RESPONSE_TOO_BIG, requesting that the client switch to TCP. The default is 1465 bytes.
KdcExtraLogLevel 1 is Audit SPN unknown erros. 2, the default, is log PKINIT errors. 4 is log all KDC errors.
KdcDebugLevel Debug logging is off if 0 (Free build), on if 1 (Checked build). If set to hex 0x10000000, decimal 268435456, file or line information will be returned in the edata field of KERB_ERRORS as PKERB_EXT_ERROR errors during a KDC processing failure.



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish