15.5. Enabling Kerberos Logging


You want to enable Kerberos logging on a domain controller to troubleshoot authentication problems.


Using a graphical user interface

  1. Run regedit.exe from the command line or Start Run.

  2. In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet Control Lsa Kerberos Parameters.

  3. If the LogLevel value doesn’t already exist, right-click on Parameters and select New DWORD value. Enter LogLevel for the value name and click OK.

  4. In the right pane, double-click on LogLevel and enter 1.

  5. Click OK.

Using a command-line interface

> reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v "LogLevel"[RETURN] 
/t REG_DWORD /d 1

Using VBScript

' This code enables Kerberos logging for the specified domain controller
strDC = "<DomainControllerName>"  ' e.g. dc01
' ------ END CONFIGURATION ---------

const HKLM = &H80000002
strRegKey = "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"
set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv")
objReg.SetDwordValue HKLM, strRegKey, "LogLevel", 1
WScript.Echo "Enable Kerberos logging for " & strDC


If you are experiencing authentication problems or would like to determine whether you are experiencing any Kerberos-related issues, enabling Kerberos logging will cause Kerberos errors to be logged in the System event log. The Kerberos events can point out if the problem is related to clock skew, an expired ticket, ...

Get Active Directory Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.