This article contains information about registry entries that relate to the Kerberos version 5 authentication protocol in Microsoft Windows Server 2003.
Kerberos is an authentication mechanism that is used to verify user or host identity. Kerberos is the preferred authentication method for services in Windows Server 2003.
If you are running Windows Server 2003, you can modify Kerberos parameters to help troubleshoot Kerberos authentication issues or to test the Kerberos protocol. To do this, add or modify the registry entries that are listed in the "More Information" section.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
Note After you finish troubleshooting or testing the Kerberos protocol, remove any registry entries that you add. Otherwise, performance of your computer may be affected.
Registry entries and values under the Parameters key
The registry entries that are listed in this section must be added to the following registry subkey:
This value is the maximum time difference that is permitted between the client computer and the server that accepts Kerberos authentication. In Windows 2000 checked build version, the default SkewTime value is 2 hours.
Note A checked build version of the Windows operating system is used in production and testing environments. (A checked build is also known as a debug version.) A checked build has many compiler optimizations turned off. This kind of build helps trace the cause of problems in system software. A checked build turns on many debugging checks in the operating system code and in the system drivers. These debugging checks help the checked build identify internal inconsistencies as soon as they occur. A checked build is larger and is slower to run than an end-user version of Windows.
An end-user version of Windows is also known as a free build version or a retail-build version. In a free build version, debugging information is removed, and Windows is built with full compiler optimizations. A free build version is faster and uses less memory than a checked build version.
Entry: LogLevel Type: REG_DWORD Default Value: 0
This value indicates whether events are logged in the system event log. If this value is set to any non-zero value, all Kerberos-related events are logged in the system event log.
This value is a list of flags that indicate the type and the level of logging that is requested. This kind of logging can be collected on the component level of Kerberos by bitwise or by one or more of the macros that are described in the following table.
This is the default InfoLevel for checked builds. This produces error messages across components.
This macro generates warning messages across components. In some cases, these messages can be ignored.
This macro enables general tracing events.
This macro enables user API tracing events that are usually logged on entry and on exit to an externally exported function that is implemented through SSPI.
This macro enables credentials tracing.
This macro enables context tracing.
This macro enables logon session tracing.
This macro enables logon tracing such as in LsaApLogonUserEx2().
This macro enables tracing before and after calls to KerbMakeKdcCall().
This macro enables additional context tracing.
This macro enables the time skew tracing that is found in Timesync.cxx.
This macro enables user API tracing that is used together with DEB_TRACE_API and that is found mostly in Userapi.cxx.
This macro enables Winsock-related events.
This macro enables events that are related to SPN cache hits and misses.
This value is the lifetime of tickets that are obtained by S4U proxy requests.
Entry: RetryPdc Type: REG_DWORD Default Value: 0 (false) Possible values: 0 (false) or any non-zero value (true)
This value indicates whether the client will contact the primary domain controller for Authentication Service Requests (AS_REQ) if the client receives a password expiration error.
Entry: RequestOptions Type: REG_DWORD Default Value: Any RFC 1510 value
This value indicates whether there are additional options that must be sent as KDC options in Ticket Granting Service requests (TGS_REQ).
Entry: ClientIpAddress Type: REG_DWORD Default Value: 0 (This setting is 0 because of Dynamic Host Configuration Protocol and network address translation issues.) Possible values: 0 (false) or any non-zero value (true)
This value indicates whether a client IP address will be added in AS_REQ to force the Caddr field to contain IP addresses in all tickets.
This value is the maximum UDP packet size in TGS_REP and Authentication Service Replies (AS_REP) messages. If the packet size exceeds this value, the KDC returns a KRB_ERR_RESPONSE_TOO_BIG message that requests that the client switch to TCP.
Note Increasing MaxDatagramReplySize may increase the likelihood of Kerberos UDP packets being fragmented.
For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
244474 How to force Kerberos to use TCP instead of UDP in Windows
Entry: KdcExtraLogLevel Type: REG_DWORD Default Value: 2 Possible values:
1 (decimal) or 0x1 (hexadecimal): Audit SPN unknown errors.
2 (decimal) or 0x2 (hexadecimal): Log PKINIT errors. (PKINIT is an Internet Engineering Task Force (IETF) Internet draft for "Public Key Cryptography for Initial Authentication in Kerberos.")
4 (decimal) or 0x4 (hexadecimal): Log all KDC errors.
8 (decimal) or 0x8 (hexadecimal): Log KDC warning event 25 in the system log when user asking for S4U2Self ticket does not have sufficient access to target user.
16 (decimal) or 0x10 (hexadecimal): Log audit events on encryption type (ETYPE) and bad options errors.
This value indicates what information the KDC will write to event logs and to audits.
Entry: KdcDebugLevel Type: REG_DWORD Default Value: 1 for checked build, 0 for free build
This value indicates whether debug logging is on (1) or off (0).
If the value is set to 0x10000000 (hexadecimal) or 268435456 (decimal), specific file or line information will be returned in the edata field of KERB_ERRORS as PKERB_EXT_ERROR errors during a KDC processing failure.