Kerberos Troubleshooting Tools

Posted: August 1, 2011 in Active Directory, Security, Server 2008, System Information
Tags: , , ,

Windows Server 2008 provides several tools that can be used when troubleshooting Kerberos Authentication

 

Klist.exe: Kerberos List: This tool is installed on Windows Server 2008 domain controllers and is available for download as part of the Windows Server 2003 Resource Kit tools.

 

Kerberos List is a command-line tool that is used to view and delete Kerberos tickets granted to the current logon session. To use Kerberos List to view tickets, you must run the tool on a computer that is a member of a Kerberos realm.

 

Kerbtray.exe: Kerberos Tray: Kerberos Tray is available for download as part of the Windows Server 2003 Resource Kit tools.

 

Kerberos Tray is a graphical user interface tool that displays ticket information for a computer running Microsoft’s implementation of the Kerberos version 5 authentication protocols. You can view and purge the ticket cache by using the Kerberos Tray tool icon located in the notification area of the desktop. By positioning the cursor over the icon, you can view the time left until the initial TGT expires. The icon also changes in the hour before the Local Security Authority (LSA) renews the ticket.

 

Tokensz.exe: Kerberos Token Size: Kerberos Token Size is available for download from the Microsoft download center.

 

You can use Kerberos Token Size to verify if the source of the Kerberos errors stems from a maximum token size issue. The tool will simulate an authentication request and report the size of the resulting Kerberos token. The tool will also report the maximum supported size for the token.

 

Setspn.exe: The Setspn utility is installed on Windows Server 2008 domain controllers and is included in the Windows Server 2003 Support Tools.

 

The Setspn utility allows you to read, modify, and delete the Service Principal Names (SPN) directory property for an Active Directory service account. Because SPNs are security-sensitive, you can only set SPNs for service accounts if you have domain administrator privileges.

 

Ksetup.exe: The Ksetup utility is installed on Windows Server 2008 domain controllers and is included in the Windows Server 2003 Support Tools.

 

The Ksetup utility configures a client connected to a server running Windows Server 2008 to use a server running Kerberos V5. The client then uses a Kerberos V5 realm instead of a Windows Server 2008 domain.

 

Ktpass.exe: The Ktpass utility is installed on Windows Server 2008 domain controllers and is included in the Windows Server 2003 Support Tools.

 

The Ktpass utility is used to configure a non–Windows Server Kerberos service as a security principal in the Windows Server 2008 AD DS.

 

W32tm.exe: Windows Time: This tool is included in Microsoft Windows server and client operating systems.

 

W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems with the time service.

Advertisements
Comments
  1. Jolin says:

    Thank you for the article. I almost passed your site up in Bing but now I’m glad I decided to stop and got to browse through it. I’m definitely more informed now. I’ll be sharing your site with some other people I know.

  2. […] are sent from the client are matched against the encrypted credentials on the domain controller. A Kerberos service, the Key Distribution Center (KDC), resides on each domain controller and stores the […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s