Tuesday, April 29, 2008

Debugging Kerberos authentication issues

I have found the following registry key to be of greatest assistance when debugging Kerberos issues. It sets the following parameters:
  • Turns on verbose debug logging
  • Forces Kerberos to use TCP instead of UDP (MaxPacketSize parameter)
  • Increases the token size so that users with large numbers of groups will fit inside the Kerberos ticket
Just save the following as a .reg file and double-click it on your server to enter it into the registry.

----COPY BELOW THIS LINE----
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"LogLevel"=dword:00000001
"KerbDebugLevel"=dword:ffffffff
"LogToFile"=dword:00000000
"MaxTokenSize"=dword:0000ea60
"MaxPacketSize"=dword:00000001

----COPY ABOVE THIS LINE----

No comments:

Post a Comment