Troubleshooting Kerberos Problems
Last week, I spent an all-nighter troubleshooting a Kerberos issue for a MOSS installation. Although it was very tiring spending an entire day and night fixing this problem, I actually thought it was fun. I learned a lot about configuring AD for delegation and how to troubleshoot delegation problems. Before I forget everything I've learned, I'm going to take a few notes here on what helped me so that whenever I'm in the same situation again, I won't have to stay up all night fixing it.
I'm not going to discuss how to setup Kerberos here. There are plenty of good resources for doing that. Here are some blogs that really helped me out:
- Four-parts series on how to configure delegation by Steve Patrick.
- Enabling Kerberos Delegation on an NLB Scenario
- Very nice blog by Liam Cleary showing all the steps with screen shots.
What I'd like to note here are some of the tools I used to debug Kerberos problems. Some of them were noted in Liam's blog, others I got from internal Microsoft resources:
- Commands to get/set authentication providers. The number in the command is the website ID which you can get from IIS Manager
C:\Inetput\AdminScripts\cscript adsutil.vbs get 3svc/1508561879/root/NTAuthenticationProviders
C:\Inetput\AdminScripts\cscript adsutil.vbs set 3svc/1508561879/root/NTAuthenticationProviders "Negotiate,NTLM"
- To view authentication schemes for all SQL connections
Select auth_scheme from sys.dm_exec_connections
- In order for Kerberos delegation to work correctly, you need to make sure Service Principal Names for service accounts are configured properly. You can easily do that by bringing up ADSI Edit and looking at the servicePrincipalName attribute. But what if you don’t have access to AD? Try running the DHCheck.vbs script, which is available for download here. The syntax for this script is:
Cscript chcheck.vbs account1 [account2 [account […]]] where accounts are either service or computer accounts used from end to end.
- Use Microsoft Network Monitor to view Kerberos messages. Netmon is available from Microsoft Download Center. It’s best to install netmon on all servers (client, middle tier, and database server) so that you can view Kerberos messages from all perspectives.
- Use Kerbtray to view and purge Kerberos tickets. Kerbtray is available in the Windows 2000 Resource Kit Tool or it can be downloaded individually from here.