Monday, 7 May 2012

Troubleshooting Kerberos with Tools

Here are a few tools that can be used to diagnose Kerberos issues, along with a brief paragraph explaining what each tool does.

Enable Kerberos Logging for Windows XP

Microsoft Windows 2000, Windows Server 2003, and Windows Server 2008 offer the capability of tracing detailed Kerberos events through the event log mechanism. You can use this information when you troubleshoot Kerberos. This article describes how to enable Kerberos event logging.

Insight for Active Directory v1.01

ADInsight is an LDAP (Light-weight Directory Access Protocol) real-time monitoring tool aimed at troubleshooting Active Directory client applications. Use its detailed tracing of Active Directory client-server communications to solve Windows authentication, Exchange, DNS, and other problems.

ADInsight uses DLL injection techniques to intercept calls that applications make in the Wldap32.dll library, which is the standard library underlying Active Directory APIs such ldap and ADSI. Unlike network monitoring tools, ADInsight intercepts and interprets all client-side APIs, including those that do not result in transmission to a server. ADInsight monitors any process into which it can load it’s tracing DLL, which means that it does not require administrative permissions, however, if run with administrative rights, it will also monitor system processes, including windows services.

Process Monitor

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.


Logman creates and manages Event Trace Session and Performance logs and supports many functions of Performance Monitor from the command line.  Filters can be added to log Kerberos events.


This tool is used to display ticket information for a given computer running the Kerberos protocol.


View and deleting the Kerberos tickets granted to the current logon session.


This command-line tool allows you to manage the Service Principal Names (SPN) directory property for an Active Directory™ directory service account. SPNs are used to locate a target principal name for running a service.

MIT Kerberos Client

Network Identity Manager (NetIdMgr) is a graphical tool designed to simplify the management of network identities and their credentials which are used by network authentication protocols while providing secure access to network services.

When NetIDMgr is used with Kerberos v5 each network identity is a unique Kerberos principal name and the credentials are Kerberos v5 tickets. Kerberos v5 tickets can be used by NetIDMgr to obtain Andrew File System (AFS) tokens and X.509 public key certificates if the appropriate plug-ins are installed.

Process Explorer

Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.

The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.

The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.

DelegConfig v1

This is an ASP.NET application used to help troubleshoot and configure IIS and Active Directory to allow Kerberos and delegating Kerberos credentials.

Kerberos SPN Viewer

Simplify listing the ServicePrincipalName (SPN) and an integrated helper tool which can help us find out what SPN should we set based on the configuration that we are using.



Tool to allow capturing and protocol analysis of network traffic.


Network Protocol analyzer for Windows and Unix.


This tool will compute the maximum token size and is used to test whether a system may exhibit the issue described in KB article 327825.

Troubleshooting Kerberos Problems

1 comment:

  1. Windows Troubleshooting - Online Help largely suitable !!-If you're searching for assistance on the up keep or repair of your Windows operating system, you'd be suggested to require on-line facilitate as a result of it very makes for convenient further as instructive variety of facilitate. If you decision a technician home or take your Windows laptop to a store, it'll be each valuable further as cumbersome. it's better to require the assistance of on-line technicians UN agency provide remote support through phone or net. after all you would like to make sure that they're the products before subscribing to their annual arrange that they typically insist.The Windows troubleshooting by skilled technicians would become routine work for you because it ought to be. the same old laptop maintenance like configuring firewall, installation of anti-virus, putting in and running laptop tune software system, mistreatment disk defragmentation tool for fine-tuning your fixed disk, checking net choices for the settings touching speed of association, removing litter from the worker folder, etc. aren't specialized jobs if you see them being done even once.