SUMMARY
This
article contains information about registry entries that relate to the
Kerberos version 5 authentication protocol in Microsoft Windows Server
2003.
INTRODUCTION
Kerberos is an authentication mechanism that is used to
verify user or host identity. Kerberos is the preferred authentication method
for services in Windows Server 2003.
If you are running Windows Server
2003, you can modify Kerberos parameters to help troubleshoot Kerberos
authentication issues or to test the Kerberos protocol. To do this, add or
modify the registry entries that are listed in the "More Information"
section.
MORE INFORMATION
Important
This section, method, or task contains steps that tell you how to
modify the registry. However, serious problems might occur if you
modify the registry incorrectly. Therefore, make sure that you follow
these steps carefully. For added protection, back up the registry
before you modify it. Then, you can restore the registry if a problem
occurs. For more information about how to back up and restore the
registry, click the following article number to view the article in the
Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/) How to back up and restore the registry in Windows
Note After you finish troubleshooting or testing the Kerberos
protocol, remove any registry entries that you add. Otherwise, performance of
your computer may be affected.
Registry entries and values under the Parameters key
The registry entries that are listed in this section must be added
to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Note If the Parameters key is not listed under Kerberos, you must
create the key.
| • |
Entry: SkewTime
Type: REG_DWORD
Default Value: 5
(minutes)
This value is the maximum time difference that is permitted
between the client computer and the server that accepts Kerberos
authentication. In Windows 2000 checked build version, the default SkewTime
value is 2 hours.
Note A checked build version of the Windows operating system is used
in production and testing environments. (A checked build is also known as a
debug version.) A checked build has many compiler optimizations turned off.
This kind of build helps trace the cause of problems in system software. A
checked build turns on many debugging checks in the operating system code and
in the system drivers. These debugging checks help the checked build identify
internal inconsistencies as soon as they occur. A checked build is larger and
is slower to run than an end-user version of Windows.
An end-user
version of Windows is also known as a free build version or a retail-build
version. In a free build version, debugging information is removed, and Windows
is built with full compiler optimizations. A free build version is faster and
uses less memory than a checked build version. |
| • |
Entry: LogLevel
Type: REG_DWORD
Default Value: 0
This value indicates whether events are logged in the system event
log. If this value is set to any non-zero value, all Kerberos-related events
are logged in the system event log. |
| • |
Entry: MaxPacketSize
Type: REG_DWORD
Default
Value: 1465 (bytes)
This value is the maximum User Datagram Protocol
(UDP) packet size. If the packet size exceeds this value, TCP is used.
|
| • |
Entry: StartupTime
Type: REG_DWORD
Default Value:
120 (seconds)
This value is the time that Windows waits for the Key
Distribution Center (KDC) to start before Windows gives up. |
| • |
Entry: KdcWaitTime
Type: REG_DWORD
Default Value:
10 (seconds)
This value is the time Windows waits for a response from
a KDC. |
| • |
Entry: KdcBackoffTime
Type: REG_DWORD
Default
Value: 10 (seconds)
This value is the time between successive
calls to the KDC if the previous call failed. |
| • |
Entry: KdcSendRetries
Type: REG_DWORD
Default
Value: 3
This value is the number of times that a client will try to
contact a KDC. |
| • |
Entry: DefaultEncryptionType
Type: REG_DWORD
Default Value: 23 (decimal) or 0x17 (hexadecimal)
This value
indicates the default encryption type for pre-authentication. |
| • |
Entry: FarKdcTimeout
Type: REG_DWORD
Default
Value: 10 (minutes)
This is the time-out value that is used to
invalidate a domain controller from a different site in the domain controller
cache. |
| • |
Entry: NearKdcTimeout
Type: REG_DWORD
Default
Value: 30 (minutes)
This is the time-out value that is used to
invalidate a domain controller in the same site in the domain controller
cache. |
| • |
Entry: StronglyEncryptDatagram
Type: REG_BOOL
Default Value: FALSE
This value contains a flag that indicates
whether to use 128-bit encryption for datagram packets. |
| • |
Entry: MaxReferralCount
Type: REG_DWORD
Default
Value: 6
This value is the number of KDC referrals that a client
pursues before the client gives up. |
| • |
Entry: KerbDebugLevel
Type: REG_DWORD
Default
Value: 0xFFFFFFFF
This
value is a list of flags that indicate the type and the level of
logging that is requested. This kind of logging can be collected on the
component level of Kerberos by bitwise or by one or more of the macros
that are described in the following table.
| Macro Name | Value | Note |
| DEB_ERROR |
0x00000001 |
This is the default InfoLevel for checked builds. This produces error messages across components. |
| DEB_WARN |
0x00000002 |
This macro generates warning messages across components. In some cases, these messages can be ignored. |
| DEB_TRACE |
0x00000004 |
This macro enables general tracing events. |
| DEB_TRACE_API |
0x00000008 |
This
macro enables user API tracing events that are usually logged on entry
and on exit to an externally exported function that is implemented
through SSPI. |
| DEB_TRACE_CRED |
0x00000010 |
This macro enables credentials tracing. |
| DEB_TRACE_CTXT |
0x00000020 |
This macro enables context tracing. |
| DEB_TRACE_LSESS |
0x00000040 |
This macro enables logon session tracing. |
| DEB_TRACE_TCACHE |
0x00000080 |
Not implemented |
| DEB_TRACE_LOGON |
0x00000100 |
This macro enables logon tracing such as in LsaApLogonUserEx2(). |
| DEB_TRACE_KDC |
0x00000200 |
This macro enables tracing before and after calls to KerbMakeKdcCall(). |
| DEB_TRACE_CTXT2 |
0x00000400 |
This macro enables additional context tracing. |
| DEB_TRACE_TIME |
0x00000800 |
This macro enables the time skew tracing that is found in Timesync.cxx. |
| DEB_TRACE_USER |
0x00001000 |
This macro enables user API tracing that is used together with DEB_TRACE_API and that is found mostly in Userapi.cxx. |
| DEB_TRACE_LEAKS |
0x00002000 |
|
| DEB_TRACE_SOCK |
0x00004000 |
This macro enables Winsock-related events. |
| DEB_TRACE_SPN_CACHE |
0x00008000 |
This macro enables events that are related to SPN cache hits and misses. |
| DEB_S4U_ERROR |
0x00010000 |
Not implemented |
| DEB_TRACE_S4U |
0x00020000 |
|
| DEB_TRACE_BND_CACHE |
0x00040000 |
|
| DEB_TRACE_LOOPBACK |
0x00080000 |
|
| DEB_TRACE_TKT_RENEWAL |
0x00100000 |
|
| DEB_TRACE_U2U |
0x00200000 |
|
| DEB_TRACE_LOCKS |
0x01000000 |
|
| DEB_USE_LOG_FILE |
0x02000000 |
Not implemented |
|
| • |
Entry: MaxTokenSize
Type: REG_DWORD
Default Value:
12000 (Decimal)
This value is the maximum value of the Kerberos
token. Microsoft recommends that you set this value to less than 65535.
|
| • |
Entry: SpnCacheTimeout
Type: REG_DWORD
Default
Value: 15 minutes
This value is the lifetime of the Service Principal
Names (SPN) cache entries. On domain controllers, the SPN cache is
disabled. |
| • |
Entry: S4UCacheTimeout
Type: REG_DWORD
Default
Value: 15 minutes
This value is the lifetime of the S4U negative
cache entries that are used to restrict the number of S4U proxy requests from a
particular computer. |
| • |
Entry: S4UTicketLifetime
Type: REG_DWORD
Default
Value: 15 minutes
This value is the lifetime of tickets that are
obtained by S4U proxy requests. |
| • |
Entry: RetryPdc
Type: REG_DWORD
Default Value: 0
(false)
Possible values: 0 (false) or any non-zero value (true)
This value indicates whether the client will contact the primary
domain controller for Authentication Service Requests (AS_REQ) if the client
receives a password expiration error. |
| • |
Entry: RequestOptions
Type: REG_DWORD
Default
Value: Any RFC 1510 value
This value indicates whether there are
additional options that must be sent as KDC options in Ticket Granting Service
requests (TGS_REQ). |
| • |
Entry: ClientIpAddress
Type: REG_DWORD
Default
Value: 0 (This setting is 0 because of Dynamic Host Configuration Protocol and
network address translation issues.)
Possible values: 0 (false) or any
non-zero value (true)
This value indicates whether a client IP address
will be added in AS_REQ to force the Caddr field to contain IP addresses in all
tickets. |
| • |
Entry: TgtRenewalTime
Type: REG_DWORD
Default
Value: 600 seconds
This value is the time that Kerberos waits before
it tries to renew a Ticket Granting Ticket (TGT) before the ticket
expires. |
| • |
Entry: AllowTgtSessionKey
Type: REG_DWORD
Default
Value: 0
Possible values: 0 (false) or any non-zero value (true)
This value indicates whether session keys are exported with initial
or with cross realm TGT authentication. The default value is false for security
reasons. |
Registry entries and values under the Kdc key
The registry entries that are listed in this section must be added
to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
Note If the Kdc key is not listed under Services, you must create the
key.
| • |
Entry: KdcUseClientAddresses
Type: REG_DWORD
Default Value: 0
Possible values: 0 (false) or any non-zero value
(true)
This value indicates whether IP addresses will be added in the
Ticket-Granting Service Reply (TGS_REP). |
| • |
Entry: KdcDontCheckAddresses
Type: REG_DWORD
Default Value: 1
Possible values: 0 (false) or any non-zero value
(true)
This value indicates whether IP addresses for the TGS_REQ and
the TGT Caddr field will be checked. |
| • |
Entry: NewConnectionTimeout
Type: REG_DWORD
Default Value: 50 (seconds)
This value is the time that an
initial TCP endpoint connection will be kept open to receive data before it
disconnects. |
| • |
Entry: MaxDatagramReplySize
Type: REG_DWORD
Default Value: 1465 (decimal, bytes)
This value is the maximum
UDP packet size in TGS_REP and Authentication Service Replies (AS_REP)
messages. If the packet size exceeds this value, the KDC returns a
KRB_ERR_RESPONSE_TOO_BIG message that requests that the client switch to
TCP. |
| • |
Entry: KdcExtraLogLevel
Type: REG_DWORD
Default
Value: 2
Possible values:
| • |
1 (decimal) or 0x1 (hexadecimal): Audit SPN unknown
errors. |
| • |
2 (decimal) or 0x2 (hexadecimal): Log PKINIT errors.
(PKINIT is an Internet Engineering Task Force (IETF) Internet draft for "Public
Key Cryptography for Initial Authentication in Kerberos.") |
| • |
4 (decimal) or 0x4 (hexadecimal): Log all KDC
errors. |
This value indicates what information the KDC will write to
event logs and to audits. |
| • |
Entry: KdcDebugLevel
Type: REG_DWORD
Default
Value: 1 for checked build, 0 for free build
This value indicates
whether debug logging is on (1) or off (0).
If the value is set to
0x10000000 (hexadecimal) or 268435456 (decimal), specific file or line
information will be returned in the edata field of KERB_ERRORS as
PKERB_EXT_ERROR errors during a KDC processing failure.
摘自:http://support.microsoft.com/?scid=kb%3Ben-us%3B837361&x=11&y=18
|