Configuring a Computer for Troubleshooting Kerberos

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Before you can use advanced troubleshooting techniques to identify and resolve Kerberos related problems, you need to configure your computer for troubleshooting. In addition, you need a basic understanding of troubleshooting concepts, procedures, and tools.

Configuration Tasks for Troubleshooting

To configure your computer for troubleshooting, perform the following tasks:

Install the Windows Support Tools

Configure Tools for Troubleshooting

Enable Account Logon Failure Auditing

Install the Windows Support Tools

The Windows Support Tools assist support personnel and network administrators in managing their networks and troubleshooting problems. They are not installed with the Windows operating system; you must install them separately from the \Support\Tools folder of the Windows operating system CD.

Configure Tools for Troubleshooting

Configure the following tools as needed:

  • Ldifde

    Ldifde.exe is present on domain controllers but can be copied and used on client computers running Windows XP and Windows Server 2003. Ldifde provides a method to quickly extract and display certain Service Principal Names (SPNs) in a forest or domain.

  • LDP

    LDP.exe is included with the Windows Support Tools.

  • Setspn

    Setspn.exe is included with the Windows Support Tools.

  • Tokensz

    For information about downloading Tokensz, see Tokensz.exe on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=42933).

Enable Account Logon Failure Auditing

You can configure the Windows Server 2003 audit log so that it records information about failed logon attempts. To record this information in the audit log, you must enable the Audit account logon events policy.

To enable Account Logon Failure auditing

  1. Open the Group Policy Object Editor snap-in to edit the Group Policy object (GPO) that is used to manage the Audit Policy settings in your organization.

  2. In the console tree, open Computer Configuration, open Windows Settings, open Security Settings, open Local Policies, and then click Audit Policy.

  3. In the details pane, double-click Audit account logon events.

  4. If you are defining auditing policy settings for this event category for the first time, select the Define these policy settings check box.

  5. To audit unsuccessful attempts, select the Failure check box.