How can I ensure that Kerberos is working?

Troubleshooting Kerberos can be difficult; Windows pretty much does everything behind the scenes, and doesn't give an administrator a terrific amount of control over what Kerberos is doing. There are, however, some steps you can take to see what Kerberos is up to.

You'll rely heavily on utilities included with the Windows resource kits, such as The Microsoft Windows 2000 Server Resource Kit. If you don't have these kits, you'll need to obtain a copy in order to follow along. Some of the utilities can be downloaded for free from Microsoft's Web site.

Checking for the TGT

After logging on to a workstation, first ensure that the computer obtained a ticket-granting ticket (TGT) from a Key Distribution Center (KDC—domain controller). I prefer to use KerbTray to check this.

You can download KerbTray for free from http://www.Microsoft.com/windows2000/techinfo/reskit/tools/existing/kerbtray-o.asp.

After downloading and running KerbTray, you'll notice an additional icon in the system tray of the taskbar. Simply double-click the icon to see your computer's existing tickets, including the TGT. If the window appears empty, as Figure 12.1 shows, your computer isn't authenticating to an Active Directory (AD) domain (and might not, in fact, even be a member of a domain).

Figure 12.1: KerbTray won't display credentials if your computer isn't logged on to an AD domain.

Managing Tickets

Microsoft also provides a command-line utility, Klist.exe, in the resource kit (and as a download from http://www.Microsoft.com/windows2000/techinfo/reskit/tools/existing/klist-o.asp). You can use Klist not only to view tickets and your TGT (which KerbTray displays), but also to delete tickets.

If you delete tickets, especially the TGT, you might not be able to authenticate to network resources until you log off and back on again.

Use Klist as follows:

  • klist tgt—Displays information about the TGT in your system, including the domain that issued the TGT and how long it's good for. A system without a TGT can't access domain resources.
  • klist tickets—Displays all cached tickets, including which server each ticket is for and how long each ticket is good. If you've been unsuccessfully attempting to access a particular resource and don't have a ticket for it, then you've found the problem. When you check a TGT, you're looking for a few specific pieces of information in Klist's output:
  • DomainName—The domain name should match the domain name that you logged on to.
  • KeyExpirationTime—This time should be some date and time in the future.
  • StartTime—This time should be some date and time in the past, even if it's the recent past.
  • EndTime—Again a date and time in the future.
  • TimeSkew—This date and time should be in the future, and should be greater than the EndTime.

If any of these values look wrong, then the KDC service on the domain controller that authenticated you might be having problems. Check the domain controller's event logs for error messages that provide additional clues.

Similarly, when checking a ticket, you're looking for:

  • Server—This server should be the fully-qualified name of the resource you're trying to access.
  • EndTime—Should be in the future by at least an hour or so.

If the EndTime value in particular is off, try deleting the ticket and letting Windows acquire a new one from the KDC.

Troubleshooting Steps

Having trouble accessing resources in the domain? Try these steps to narrow the problem:

  1. Run Klist tgt to check your TGT. If your TGT is expired or not present, log off and back on again to repeat. If that doesn't fix it, your computer either isn't in the domain or its domain credentials need to be reset. See How-To: How to Reset a Computer's Domain Account for corrective steps.
  2. Run Klist tickets to see if you have a ticket for the resource you're trying to access. If you don't, try to access another resource. If that works, then the resource giving you problems might not be in the domain. If you can't access any resources, but have a TGT, then the KDC service on the domain controller that issued your TGT might have failed. Check the service on the domain controller, then log off and back on again.
  3. If you have a valid TGT and a valid ticket, use Klist purge to delete the ticket associated with the resource you're having problems with. Then try to access the resource again. Windows should obtain a new ticket from the KDC; if it doesn't, refer back to step 2. If you do get a new ticket (verify with Klist tickets) but still can't access the resource, you need to check the resource server for problems, such as a failure in the NetLogon service or an out-of-sync domain computer account.