Configuring a Computer for Troubleshooting Kerberos
Updated: March 2, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Before you can use advanced troubleshooting techniques to identify and resolve Kerberos related problems, you need to configure your computer for troubleshooting. In addition, you need a basic understanding of troubleshooting concepts, procedures, and tools.
Configuration Tasks for Troubleshooting
To configure your computer for troubleshooting, perform the following tasks:
Install the Windows Support Tools
The Windows Support Tools assist support personnel and network administrators in managing their networks and troubleshooting problems. They are not installed with the Windows operating system; you must install them separately from the \Support\Tools folder of the Windows operating system CD.
Configure Tools for Troubleshooting
Configure the following tools as needed:
Ldifde.exe is present on domain controllers but can be copied and used on client computers running Windows XP and Windows Server 2003. Ldifde provides a method to quickly extract and display certain Service Principal Names (SPNs) in a forest or domain.
LDP.exe is included with the Windows Support Tools.
Setspn.exe is included with the Windows Support Tools.
For information about downloading Tokensz, see Tokensz.exe on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=42933).
Enable Account Logon Failure Auditing
You can configure the Windows Server 2003 audit log so that it records information about failed logon attempts. To record this information in the audit log, you must enable the Audit account logon events policy.To enable Account Logon Failure auditing
Open the Group Policy Object Editor snap-in to edit the Group Policy object (GPO) that is used to manage the Audit Policy settings in your organization.
In the console tree, open Computer Configuration, open Windows Settings, open Security Settings, open Local Policies, and then click Audit Policy.
In the details pane, double-click Audit account logon events.
If you are defining auditing policy settings for this event category for the first time, select the Define these policy settings check box.
To audit unsuccessful attempts, select the Failure check box.