Testing and Troubleshooting Kerberos

Testing and troubleshooting are an essential part to finishing your Kerberos configuration. Logging Kerberos activity is the first and arguably the most important troubleshooting technique. Refer to the Microsoft article "Troubleshooting Kerberos Errors" (www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx#ene). In particular, see the "How to enable Kerberos event logging on a specific computer" section and the "Debug Output" section. You enable Kerberos logging on the MOSS server acting as the Web front end. Here’s a list of some tools (with brief descriptions) that are useful in testing and troubleshooting Kerberos authentication.

Eventvwr.msc—The Event Viewer is an essential resource for troubleshooting many aspects of a systems operation. When it comes to Kerberos, we have found it an essential tool for delegation testing. We run the event viewer on a target system to determine whether Kerberos delegation is working.

Kerbtray.exe—Kerberos Tray is a GUI tool available in the Microsoft Windows Server 2003 Resource Kit that displays ticket information for a computer running Microsoft’s implementation of Kerberos 5. It lets you view and purge the ticket cache by using the Kerberos Tray tool icon located in the notification area of the desktop. This is useful if a user is having trouble accessing a system where a service account password has changed. By positioning the cursor over the icon, you can view the time left until the initial ticket-granting ticket (TGT) expires. The icon also changes in the hour before the Local Security Authority (LSA) renews the ticket.

Klist.exe—Kerberos List is a command-line tool available in the resource kit. Use it to view and delete Kerberos tickets granted to the current logon session.

Klist uses the following syntax:

klist \[tickets | tgt | purge\] \[-?\]

To use Kerberos List to view tickets, you must run the tool on a computer that's a member of a Kerberos realm. When Kerberos List is run from a client, it shows the following:

  • Ticket-granting ticket (TGT) to a Kerberos Key Distribution Center (KDC) in Windows.
  • Ticket-granting ticket (TGT) to Ksserver on UNIX.

NetMON.exe—Network Monitor 3.0 is a protocol analyzer, which lets you capture network traffic, view and analyze it and troubleshoot network issues. It's a wonderful improvement over the version of NetMON bundled with Windows Server or the enhanced version in Microsoft Systems Management Server. You can download Network Monitor 3.0 at www.microsoft.com/downloads/details.aspx?FamilyID=aa8be06d-4a6a-4b69-b861-2043b665cb53&DisplayLang=en.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.