JSI Tip 8177. What registry values can I use to troubleshoot Kerberos authentication in Windows Server 2003?

Jerold Schulman

June 21, 2004

3 Min Read
ITPro Today logo

NOTE: When you finished troubleshooting, remove any Value Names you added, as they can cause performance issues.

The Following Value Names are located under the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters key. They are all REG_DWORD data types, except for the StronglyEncryptDatagram Value Name, which is a REG_BOOL data type:

Value Name

D e s c r i p t i o n

SkewTime

The maximum difference between client and server time permitted. The default is 5 minutes.

LogLevel

Any non-zero value logs Kerberos vents in the System event log.

MaxPacketSize

The maximum UDP packet size. When exceeded, TCP/IP is used. The default is 1465 bytes.

StartupTime

How long Windows waits for the KDC to start before giving up. The default is 120 seconds.

KdcWaitTime

How long Windows waits for a response from a KDC. The default is 10 seconds.

KdcBackoffTime

Windows waits KdcBackoffTime seconds to call the KDC if the previous call failed. The default is 3 seconds.

KdcSendRetries

The number of times that a client will attempt to contact the KDC. The default is 3.

DefaultEncryptionType

The default is decimal 23 for the pre-authorization encryption type.

FarKdcTimeout

How long before flushing a domain controller from a different site from the cache. The default is 10 minutes.

NearKdcTimeout

How long before flushing a domain controller from the same site from the cache. The default is 30 minutes.

StronglyEncryptDatagram

Should 128-bit encrytion be used for datagram packets. This REG_BOOL data type defaults to FALSE.

MaxReferralCount

The number of KDC referrals that a client pursues before giving up. The default is 6.

KerbDebugLevel

Debug logging is enabled. A Free build is 0. A Checked build is 1.

MaxTokenSize

The maximum value of a Kerberos token. The default is 12,000 and Microsoft recommends is remain less than 50,000.

SpnCacheTimeout

The lifetime of the Service Principal Names cache entries. The SPN cache is disabled on domain controllers.

S4UCacheTimeout

The lifetime of the S4U negative cache entryies that restrict the number of S4U proxy requests from a computer. The default is 15 minutes.

S4UTicketLifetime

The lifetime of tickets that are obtained by S4U proxy requests. The default is 15 minutes.

RetryPdc

If true, the client will contact the PDC for AS-REQ (Authentication Service Requests) if it receives a password expired error. The default is 0, false, and any non-zero data value is true.

RequestOptions

Additional options that must be sent as KDC options in the Ticket Granting Service requests.

ClientIpAddress

Should the client IP address be added in AS_REG to force Caddr to contain IP address in all tickets? The default is 0, false, because of DHCP and NAT issues. Any non-zero value is is true.

TgtRenewalTime

How long should Kerberos wait before it tries to renew a TGT (Ticket Granting Ticket) before the ticket expires. The default is 600 seconds.

AllowTgtSessionKey

Should session keys be exported. The default is 0, false, for security concerns. Any non-zero value is true.

The Following Value Names are located under the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesKdc key. They are all REG_DWORD data types.

Value Name

D e s c r i p t i o n

KdcUseClientAddresses

If 0, the default, IP addresses will NOT be addes in the TGS_REP (Ticket-Granting Service Reply). Any non-zero value is true.

KdcDontCheckAddresses

Should IP addresses for the TGS_REQ and the TGT Caddr field will be checked. The default is 0, false. Any non-zero value is true.

NewConnectionTimeout

How long should an initial TCP endpoint connection be kept open to receive data? The default is 50 seconds.

MaxDatagramReplySize

The maximum TGS_REP and AS_REP UDP packet size. If exceeded, the KDC returns KRB_ERR_RESPONSE_TOO_BIG, requesting that the client switch to TCP. The default is 1465 bytes.

KdcExtraLogLevel

1 is Audit SPN unknown erros. 2, the default, is log PKINIT errors. 4 is log all KDC errors.

KdcDebugLevel

Debug logging is off if 0 (Free build), on if 1 (Checked build). If set to hex 0x10000000, decimal 268435456, file or line information will be returned in the edata field of KERB_ERRORS as PKERB_EXT_ERROR errors during a KDC processing failure.



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like