Kerberos Authentication Tools and Settings

Artículo
10/08/2009

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Kerberos Authentication Tools and Settings

In this section

Kerberos Protocol Tools
Kerberos Protocol Registry Settings
Kerberos Authentication Group Policy Settings
Network Ports Used by the Kerberos V5 Protocol

Kerberos Protocol Tools

The following tools are associated with administering and troubleshooting the Kerberos version 5 authentication protocol.

Domain.msc: Active Directory Domains and Trusts

Category

Active Directory Domains and Trusts is an MMC snap-in that is installed automatically on computers running Windows Server 2003 when you install Active Directory. You can also use this tool on non-domain controllers by installing the Windows Server 2003 Administration Tools pack. You can start Active Directory Domains and Trusts in the following way: Click Start, then click Programs,then click Administrative Tools, and then click Active Directory Domains and Trusts.

Version compatibility

This tool is compatible with domain controllers running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition. You can also use Active Directory Domains and Trusts with the Windows Server 2003 Administration Tools pack to remotely administer Active Directory from a computer that is not a domain controller, such as a computer running Windows XP Professional. You can use this tool to target any domain controller in either Windows 2000 Server or Windows Server 2003 domains.

Note

When using Windows Server 2003 Active Directory administrative tools to connect to a domain controller running Windows 2000, you must first be sure that the Windows 2000–based domain controller to which you are connecting has Service Pack 3 or later installed. This is because Windows Server 2003 administrative tools sign and encrypt all Lightweight Directory Access Protocol (LDAP) traffic by default.

Active Directory Domains and Trusts provides a graphical interface in which you can view all domains in the forest. Using this tool, an administrator can manage each of the domains in the forest, trust relationships between domains, configure the functional level for each domain or forest, and configure the alternative user principal name (UPN) suffixes for a forest.

Active Directory Domains and Trusts can be used to create, view, and modify most trust-related tasks. It can be used to target all Active Directory domain controllers and can verify all Active Directory trust types. Trust verification takes place between two domains by enumerating all of the domain controllers in each domain. If you choose to have Active Directory Domains and Trusts create both sides of the trust at once, the trust password is automatically generated.

You can find more information about Active Directory Domains and Trusts on Microsoft TechNet.

Dsa.msc: Active Directory Users and Computers

Category

Active Directory Users and Computers is a Microsoft Management Console (MMC) snap-in that is automatically installed when you install Active Directory. Dsa.msc is also included with the Administration Tools Pack (Adminpak.msi).

You can access the tool from the Start menu: Click Start, click Programs,click Administrative Tools, and then click Active Directory Users and Computers.

Version compatibility

Active Directory Users and Computers runs on domain controllers that are running Windows Server 2003 or Windows 2000. In both of these server systems, MMC provides a window in the user interface where you can add, configure, and control items. Active Directory Users and Computers is the MMC tool that you can use to administer and publish information in the directory.

The Windows Server 2003 version of Active Directory Users and Computers can target domain controllers that are running Windows Server 2003 or Windows 2000.

On administrative workstations that are running Windows XP Professional or Windows 2000, you can install the Windows Server 2003 Administration Tools Pack (Adminpak.msi) from the i386 folder on the Windows Server 2003 CD. This version of the Administration Tools Pack encrypts and signs LDAP traffic between the administrative tool clients and domain controllers.

Note

You cannot run the Windows Server 2003 Administration Tools Pack (Adminpak.msi) on a computer that is running Windows XP Professional, Windows XP Home Edition, or Windows XP 64-Bit Edition Version 2003 without Windows XP Service Pack 1 (SP1).

You can use Active Directory Users and Computers to manage the following properties associated with objects. Your managing the properties will affect Kerberos V5 authentication for these objects.

Active Directory Users and Computers Object Management

Property	Changes That Affect Kerberos V5 Authentication
Computer objects
Trust computer for delegation	The service can impersonate a user to use other network services. Allows services running as local system to request services from other services.
Computer objects delegation tab options	(This tab will only appear in domains with Windows Server 2003 Functional Level.)
Do not trust this computer for delegation
Trust this computer for delegation to any service (Kerberos only)	Not recommended. This enables unconstrained delegation.
Trust this computer for delegation to specified services only	Use Kerberos only: Enables constrained delegation without protocol transition. Use any authentication protocol: Enables constrained delegation with protocol transition
User or service objects account tab options
Account is trusted for delegation	The account is enabled for delegation. This is a security-sensitive setting. Accounts with this option enabled should be tightly controlled. This setting enables a service that runs under the account to assume a client’s identity and authenticate as that user to remote servers on the network.
Account is sensitive and cannot be delegated	When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
Use DES encryption types for this account	Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys. If a user account is configured to use DES encryption, a Windows 2000, Windows XP, or Windows Server 2003–based client requests a ticket-granting ticket (TGT) by using the DES-CBC-MD5 encryption type.
Do not require Kerberos pre-authentication	Overrides the default setting that the KDC requires all accounts to use pre-authentication. The default setting makes offline password-guessing attacks very difficult. You can choose to override the default setting for individual accounts when necessary for compatibility with other implementations of the protocol.
User or service objects delegation tab options	(This tab will only appear on accounts with registered SPNs in domains with Windows Server 2003 Functional Level.)
Do not trust this user for delegation
Trust this user for delegation to any service (Kerberos only)	Not recommended. This enables unconstrained delegation.
Trust this user for delegation to specified services only	Use Kerberos only: Enables constrained delegation without protocol transition. Use any authentication protocol: Enables constrained delegation with protocol transition.

You can find more information about Active Directory Users and Computers on Microsoft TechNet.

Eventvwr.msc: Event Viewer

Category

Event Viewer is included in Windows Server 2003, Windows XP, and Windows 2000.

Version compatibility

Event Viewer is supported for Windows Server 2003, Windows XP, and Windows 2000.

The system and security logs contain Kerberos error codes and other events related to authentication.

The following table lists event IDs and information that can be associated with Kerberos authentication. An event log contains only relevant event information. For example, only failure audits have Kerberos error codes; smartcard logons have certificate information.

Security Log Events That Might Contain Kerberos Error Codes

Event ID	Account Logon Event Type	Event Information Potentially Associated with Kerberos Authentication
672	Success audit (Windows 2000 and Windows Server 2003) Failure audit (Windows Server 2003)	Authentication Ticket Request: User Name Supplied Realm Name User ID Service Name Service ID Ticket Options Result Code: Kerberos error code Ticket Encryption Type Pre-Authentication Type Client Address Certificate Issuer Name Certificate Serial Number Certificate Thumbprint
673	Success audit (Windows 2000 and Windows Server 2003) Failure audit (Windows Server 2003)	Service Ticket Request: User Name User Domain Service Name Service ID Ticket Options Ticket Encryption Type Client Address Failure Code: Kerberos Error Code Logon GUID Transited Services
675	Failure audit	Pre-authentication Failed: User Name User ID Service Name Pre-authentication Type Failure Code: Kerberos error code Client Address
676	Failure audit (Obsolete in Windows Server 2003; both success and failure audits use event ID 672.)	Authentication Ticket Request Failed: User Name Supplied Realm Name Service Name Ticket Options Failure Code: Kerberos error code Client Address
677	Failure audit (Obsolete in Windows Server 2003; both success and failure audits use event ID 673.)	Service Ticket Request Failed: User Name User Domain Service Name Ticket Options Failure Code: Kerberos error code Client Address

Kerberos V5 Authentication Protocol Error Messages Generated by Windows Server 2003

Kerberos Error Number	Kerberos Error Code	Description
0x3	KDC_ERR_BAD_PVNO	Requested protocol version number not supported.
0x6	KDC_ERR_C_PRINCIPAL_UNKNOWN	Client not found in Kerberos database.
0x7	KDC_ERR_S_PRINCIPAL_UNKNOWN	Server not found in Kerberos database.
0x8	KDC_ERR_PRINCIPAL_NOT_UNIQUE	Multiple principal entries in database.
0xA	KDC_ERR_CANNOT_POSTDATE	Ticket not eligible for postdating.
0xB	KDC_ERR_NEVER_VALID	Requested start time is later than end time.
0xC	KDC_ERR_POLICY	KDC policy rejects request.
0xD	KDC_ERR_BADOPTION	KDC cannot accommodate requested option.
0xE	KDC_ERR_ETYPE_NOSUPP	KDC has no support for encryption type.
0xF	KDC_ERR_SUMTYPE_NOSUPP	KDC has no support for checksum type.
0x10	KDC_ERR_PADATA_TYPE_NOSUPP	KDC has no support for pre-authentication data type.
0x12	KDC_ERR_CLIENT_REVOKED	Client’s credentials have been revoked.
0x17	KDC_ERR_KEY_EXPIRED	Password has expired - change password to reset.
0x18	KDC_ERR_PREAUTH_FAILED	Pre-authentication information was invalid.
0x19	KDC_ERR_PREAUTH_REQUIRED	Additional pre-authentication required.
0x1B	KDC_ERR_MUST_USE_USER2USER	Server principal valid for user-to-user only.
0x1C	KDC_ERR_PATH_NOT_ACCPETED	KDC Policy rejects transited path.
0x1D	KDC_ERR_SVC_UNAVAILABLE	A service is not available.
0x1F	KRB_AP_ERR_BAD_INTEGRITY	Integrity check on decrypted field failed.
0x20	KRB_AP_ERR_TKT_EXPIRED	Ticket expired.
0x21	KRB_AP_ERR_TKT_NYV	Ticket not yet valid.
0x22	KRB_AP_ERR_REPEAT	Request is a replay.
0x23	KRB_AP_ERR_NOT_US	The ticket isn’t for us.
0x24	KRB_AP_ERR_BADMATCH	Ticket and authenticator do not match.
0x25	KRB_AP_ERR_SKEW	Clock skew too great.
0x28	KRB_AP_ERR_MSG_TYPE	Invalid message type.
0x29	KRB_AP_ERR_MODIFIED	Message stream modified.
0x34	KRB_ERR_RESPONSE_TOO_BIG	Response too big for UDP, retry with TCP.
0x3C	KRB_ERR_GENERIC	Generic error (description in e-text).
0x44	KDC_ERR_WRONG_REALM	User-to-user TGT issued different KDC.

To find more information about “Event Viewer”, see “Event Viewer” on Microsoft TechNet.

Kerbtray.exe: Kerberos Tray

Category

Kerberos Tray is included in the Windows Server 2003 Resource Kit and the Windows 2000 Resource Kit.

Version compatibility

Kerberos Tray is supported for Windows Server 2003, Windows XP, and Windows 2000.

Kerberos Tray is a graphical user interface tool that displays ticket information for a computer running Microsoft’s implementation of the Kerberos version 5 authentication protocol.

You can view and purge the ticket cache by using the Kerberos Tray tool icon located in the notification area of the desktop. By positioning the cursor over the icon, you can view the time left until the initial ticket-granting ticket (TGT) expires. The icon also changes in the hour before the Local Security Authority (LSA) renews the ticket.

To find more information about Kerberos Tray, see “Windows Server 2003 Resource Kit Tools Help in the Tools and Settings Collection.”

Klist.exe: Kerberos List

Category

Kerberos List is included in the Windows Server 2003 Resource Kit and the Windows 2000 Resource Kit.

Version compatibility

Kerberos List is supported for Windows Server 2003, Windows XP, and Windows 2000.

Kerberos List is a command-line tool that is used to view and delete Kerberos tickets granted to the current logon session. To use Kerberos List to view tickets, you must run the tool on a computer that is a member of a Kerberos realm.

When Kerberos List is run from a client, it shows the:

Ticket-granting ticket (TGT) to a Kerberos Key Distribution Center (KDC) in Windows.
Ticket-granting ticket (TGT) to Ksserver on UNIX.

Parameters

Kerberos List uses the following syntax:

klist [tickets | tgt | purge] [-?]

Tickets

Lists the current cached tickets of services to which you have authenticated since logging on. Displays the following attributes of all cached tickets:

Option	Description
End Time	Time at which that the ticket becomes invalid. After a ticket is past this time, it cannot be used to authenticate to a service.
KerbTicket Encryption Type	Encryption type used to encrypt the Kerberos ticket.
Renew Time	Maximum lifetime of a renewable ticket (see TicketFlags in the table below). To continue using this ticket, you must renew it before reaching the established End Time and before the expiration date established in RenewUntil.
Server	Server and domain for the ticket.

tgt

Lists the initial Kerberos ticket-granting ticket (TGT). Displays the following attributes of the currently cached ticket:

Option	Description
AltTargetDomainName	Name supplied to InitializeSecurityContext that generated this ticket, typically a service principal name (SPN).
DomainName	Domain name of the service.
End Time	Time when the ticket becomes invalid. When a ticket is past the end time, it cannot be used to authenticate to a service.
FullServiceName	Canonical name of the account principal for the service.
KeyExpirationTime	Expiration time from the KDC reply.
RenewUntil Maximum lifetime of a renewable ticket (see TicketFlags)	To continue using a ticket, you must renew it. Tickets must be renewed before the expiration time set in End Time and in RenewUntil.
ServiceName	A TGT is a ticket for the Key Distribution Center (KDC) service. The service name for a TGT is “krbtgt.”
Start time	Time when the ticket becomes valid.
TargetDomainName	For a cross-realm ticket, this is the realm, rather than the issuing realm, in which the ticket is good.
TargetName	Service name for which the ticket was requested. This is the name of a servicePrincipalName property on an account in the directory.
TicketFlags	Kerberos ticket flags set on the current ticket in hexadecimal. Kerberos Tray displays these flags on the Flags tab.
TimeSkew	The reported time difference between the client computer and the server computer for a ticket.

purge

Will list each ticket and enables you to delete specific tickets. When you choose Yes to a ticket, then purge tickets destroys the ticket that you have cached, so use this with caution. It might stop you from being able to authenticate to resources. If this happens, you must log off and then log on again.

-?

Displays command-line help.

To find more information about Kerberos List, see “Windows Server 2003 Resource Kit Tools Help” in the Tools and Settings Collection.

Ksetup.exe: Kerberos Setup

Category

Kerberos Setup is included in the Windows Server 2003 Support Tools.

Version compatibility

Kerberos Setup is supported for Windows Server 2003.

Kerberos Setup is a command-line tool you can use to configure Windows for Kerberos V5 interoperability. Kerberos Setup configures a client connected to a server running Windows Server 2003 to use a server running the Kerberos V5 authentication protocol. After Kerberos Setup configures the client, the client then uses a Kerberos V5 realm instead of a Windows Server 2003 domain. This provides a single sign-on to the Key Distribution Center (KDC) and a local client account connected to a computer running Windows Server 2003.

Administrators can use Kerberos Setup to:

Set up a realm entry for a Kerberos V5 realm.
Set up a list of KDCs for the Kerberos V5 realm for which you set up a realm entry.
Set up a kpasswd server for the Kerberos V5 realm for which you set up a realm entry.
Set up local account to Kerberos V5 account mappings.
Set the computer’s password in the Kerberos realm.
Change a user’s password in a Kerberos V5 realm.

To find more information about Kerberos Setup, see “Support Tools Help” in the Tools and Settings Collection.

Ktpass.exe: Kerberos Keytab Setup

Category

Kerberos Keytab Setup is included in the Windows Server 2003 Support Tools.

Version compatibility

Kerberos Keytab Setup is supported for Windows Server 2003.

Kerberos Keytab Setup is a command-line tool that enables an administrator to configure a non-Windows Kerberos service as a security principal in the Windows Server 2003 Active Directory. Kerberos Keytab Setup configures the server principal name for the host or service in Active Directory and generates an MIT-style Kerberos keytab file containing the shared secret key of the service. The tool enables non-Windows brand operating system services that support Kerberos authentication to use the interoperability features provided by the Kerberos KDC service that runs on Windows Server 2003.

To find more information about Kerberos Keytab Setup, see “Support Tools Help” in the Tools and Settings Collection.

Netdom.exe: Windows Domain Manager

Category

Windows Domain Manager is included in Windows Server 2003, Windows 2000, and the Windows Server 2003 Administration Tools Pack (Adminpak.msi).

Version compatibility

Windows Domain Manager is supported for Windows Server 2003, Windows XP, and Windows 2000.

On administrative workstations that are running Windows XP Professional, you can install the Windows Server 2003 Administration Tools Pack (Adminpak.msi) from the i386 directory on the Windows Server 2003 CD. Please see the note in the Active Directory Users and Computers subsection above regarding the Administration Tools Pack.

The Windows Server 2003 version of Windows Domain Manager can target domain controllers that are running Windows Server 2003 or Windows 2000.

This tool enables you to manage Active Directory domains and trust relationships from the command line.

Functions of Windows Domain Manager that relate to Kerberos authentication include:

Establishing one-way or two-way trust relationships between domains, such as:
- From an Active Directory domain to an Active Directory domain in another enterprise (also know as an uplevel external trust).
- Between two Active Directory domains in an enterprise (a shortcut trust).
- The Windows Server 2003 or Windows 2000 Server half of an interoperable Kerberos realm.
Managing trust relationships between domains, including:
- Enumerating direct and indirect trust relationships.
- Viewing and changing some attributes on a trust — for example, transitivity to non-Windows Kerberos realms.

To find more information about Windows Domain Manager, see “Support Tools Help” in the Tools and Settings Collection.

Netmon.exe: Network Monitor

Category

A limited version of Network Monitor is included in Windows Server 2003, Windows XP, and Windows 2000. The full version of Network Monitor is included with Microsoft Systems Management Server.

Version compatibility

Network Monitor is supported for Windows Server 2003, Windows XP, and Windows 2000.

Network Monitor enables you to capture network traces which can be used in troubleshooting most network issues.

Setspn.exe: Manipulate Service Principal Names for Accounts

Category

Setspn is included in the Windows Server 2003 Support Tools.

Version compatibility

Setspn is supported for Windows Server 2003 and Windows XP Professional.

This command-line tool sets service principal names. SPNs are used to locate a target principal name for running a service. Because SPNs are security-sensitive, SPNs can only be set for user objects if you have domain administrator credentials.

It is not usually necessary to modify SPNs. They are set up by a computer when it joins a domain and when services are installed on the computer. In some cases, however, this information can become stale. For example, if the computer name is changed, the SPNs for installed services would need to be changed to match the new computer name. Also, some services and applications might require manual modification of a service account’s SPN information to correctly authenticate.

Domain administrators can use Setspn to:

View the current SPNs.
Reset the account’s default SPNs.
Add SPNs.
Delete supplemental SPNs.

To find more information about Setspn, see “Support Tools Help” in the Tools and Settings Collection.

Kerberos Protocol Registry Settings

Registry settings in the following hives are associated with the Kerberos protocol:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\UserList
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as MMC to accomplish tasks. If you must edit the registry, use extreme caution.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains

The Domains subkey stores information about non-Windows Kerberos realms.

To change the value of the entries in this subkey, use Kerberos Setup (Ksetup.exe), a tool included in Windows Server 2003 Support Tools. Do not use the registry editor.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm

This subkey stores Host to Realm mapping information. The subkey does not exist in the registry by default.

SpnMappings

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm

Version

Windows Server 2003 and Windows XP

This entry is used to create a HostToRealm mapping table.

Windows Server 2003, Windows XP, and Windows 2000

This entry controls the verboseness level of debug log macros. This entry does not exist in the registry by default. The default value is 0, which is no logging; however, if you are using a checked build, the default value is 1, which is error logging.

Common Debug Values

Verboseness Level	Value
Error s	0x00000001
Warnings	0x00000002
Tracing	0x00000004
API tracing	0x00000008
Credential related tracing	0x00000010
Security Context tracing	0x00000020
Logon Session tracing	0x00000040
Logon tracing	0x00000100
KDC tracing	0x00000200
Detailed Security Context tracing	0x00000400
Time related tracing	0x00000800
User related tracing	0x00001000
Leak related tracing	0x00002000
WinSock related tracing	0x00004000
SPN cache tracing	0x00008000
S4U Errors	0x00010000
S4U tracing	0x00020000
Loopback tracing	0x00080000
Ticket renewal tracing	0x00100000
User to User tracing	0x00200000
Locks tracing	0x01000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\UserList

The UserList subkey stores entries that associate a Kerberos security principal to a local Windows Server 2003 user account.

Computers that are running Windows Server 2003 can use another KDC — instead of a KDC in an Active Directory domain — to administer authentication. For ease of use, you can map a Kerberos security principal, such as the name of a principal or a realm, to a local Windows user account.

This subkey stores mappings that you enter when you use the /MapUser parameter with Kerberos Setup (Ksetup.exe), a tool that is included in Windows Server 2003 Support Tools. Ksetup.exe adds the entries to the registry.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System

This subkey stores the event log configuration information.

Kerberos

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System

Version

Windows Server 2003, Windows XP, and Windows 2000

The Kerberos subkey stores configuration information for Event Viewer about the log sources specified by the Kerberos protocol in the registry path. The configuration information tells Event Viewer where to find and how to display Kerberos authentication-related events. Event Viewer displays those events as part of the log specified by the system-log name in the registry path.

Sources

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System

Version

Windows Server 2003, Windows XP, and Windows 2000

The Sources entry specifies that Kerberos writes events to this log.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

This subkey stores KDC configuration information.

ExistingConnectionTimeout

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

Version

Windows Server 2003 and Windows 2000

This entry controls the time-out, in seconds, for input/outputs (I/Os) on this context until the first byte of data is received. This entry does not exist in the registry by default. The default value is 60 seconds.

KdcDebugLevel

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

Version

Windows Server 2003

Common Debug Values

Verboseness Level	Value
Error s	0x00000001
Warnings	0x00000002
Tracing	0x00000004
API tracing	0x00000008
Credential related tracing	0x00000010
Security Context tracing	0x00000020
Logon Session tracing	0x00000040
Logon tracing	0x00000100
KDC tracing	0x00000200
Detailed Security Context tracing	0x00000400
Time related tracing	0x00000800
User related tracing	0x00001000
Leak related tracing	0x00002000
WinSock related tracing	0x00004000
SPN cache tracing	0x00008000
S4U Errors	0x00010000
S4U tracing	0x00020000
Loopback tracing	0x00080000
Ticket renewal tracing	0x00100000
User to User tracing	0x00200000
Locks tracing	0x01000000
Use Extended Errors	0x10000000

KdcDontCheckAddresses

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

Version

Windows Server 2003

This entry controls whether the KDC checks if the client IP addresses match one of the IP addresses in the TGT Caddr field.

If the entry does not exist or if DWORD = 0, client addresses are checked.
If DWORD = 1, client addresses are not checked.

The client must send the IP address in the KRB_TGS_REQ, which is not done by default in Windows operating systems. To enable sending IP addresses as a Kerberos client, see “ClientIpAddresses” earlier in this guide. This entry does not exist in the registry by default. The default value is true due to potential DHCP and NAT issues.

KdcExtraLogLevel

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

Version

Windows Server 2003

This entry controls extra KDC logging in event logs and audits. This entry does not exist in the registry by default. The default value is 2.

Extra KDC Log Levels

Log Level	Value
Audit SPN unknown errors	0x1
Log detailed PKINIT1 errors	0x2
Log all KDC errors with KLIN information	0x4

1 PKINIT is an Internet Engineering Task Force (IETF) Internet draft for “Public key Cryptography for Initial Authentication in Kerberos.”

KdcIssueForwardedTickets

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

Version

Kerberos Authentication Group Policy Settings

The following table lists and describes the Group Policy settings that are associated with Kerberos V5 Authentication.

Group Policy Settings Associated with Kerberos V5 Authentication

Group Policy Setting	Description
User Rights Assignment:
Impersonate a client after authentication	Windows 2000 security setting that was first introduced in SP4 for Windows 2000. When you assign this user right to a user, you permit programs that run on behalf of that user to impersonate a client. This security setting helps to prevent unauthorized servers from impersonating clients that connect to it through methods such as remote procedure calls (RPC) or named pipes. By default, members of the Administrators group and the System account are assigned this user right. The following components also are assigned this user right: Services that are started by the Service Control Manager Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account
Kerberos Policy:
Enforce user logon restrictions	Determines whether the KDC validates every request for a session ticket against the user rights policy on the target computer. When this policy is enabled, the user requesting the session ticket must have the right either to Log on locally or to Access this computer from network. Validation of each request is optional because the extra step takes time and might slow network access to services. By default, this policy is enabled.
Maximum lifetime for service ticket	Determines the maximum amount of time (in minutes) that a ticket granted for a service (that is, a session ticket) can be used to access the service. If the setting is zero minutes, the ticket never expires. Otherwise, the setting must be greater than ten minutes and less than the setting for Maximum lifetime for user ticket. By default, the setting is 600 minutes (10 hours).
Maximum lifetime for user ticket	Determines the maximum amount of time (in hours) that a user’s TGT can be used. When a user’s TGT expires, a new one must be requested or the existing one must be renewed. By default, the setting is ten hours.
Maximum lifetime for user ticket renewal	Determines the longest period of time (in days) that a TGT can be used if it is repeatedly renewed. By default, the setting is seven days.
Maximum tolerance for computer clock synchronization	Determines the maximum difference (in minutes) that Kerberos will tolerate between the time on a client’s clock and the time on a server’s clock while still considering the two clocks synchronous. By default, the setting is five minutes.

For more information about these Group Policy settings, see “Account Policy Settings.”

Network Ports Used by the Kerberos V5 Protocol

Network Ports Used During Kerberos Authentication

Service Name	UDP	TCP
DNS	53	53
Kerberos	88	88