Security

SolutionBase: Diagnosing Kerberos health issues, part 2

Kerberos is a great way to help keep your Windows network secure -- IF it's working properly. Here are some ways you can verify that Kerberos is working correctly and diagnose the problem if it isn't.

This article is also available as a TechRepublic download.

In the first part of this article series, I gave you some insight into the inner workings of the Kerberos protocol by showing you what a Kerberos transaction looks like when viewed through the Network Monitor. In this article, I want to continue the discussion by showing you some other ways that you can verify that Kerberos is working correctly, and diagnose the problem if it isn't.

The Windows Server 2003 Resource Kit

The Windows Server 2003 Resource Kit contains a couple of different tools that can be used in diagnosing Kerberos health issues. The main tools of interest are Kerb Tray and KLIST. I will discuss both of these tools in detail in a moment. In the mean time though, if you do not have a copy of the Windows Server 2003 Resource Kit Tools, you can download them from the Microsoft Web site.

Kerb Tray

Kerb Tray is a graphical utility that's designed to show you all of the Kerberos tickets that have been obtained since login. To use Kerb Tray, simply double-click on the KERBTRAY.EXE file in the \Program Files\Windows Resource Kits\Tools folder. When you do, a small icon will be added to the Windows system tray. I have to be honest and tell you that I have no idea what this icon is supposed to be, so I will just show it to you. The Kerb Tray icon is the bright green icon shown on the far left of Figure A.

Figure A

The Kerb Tray icon is the bright green icon on the left.

Although what the icon is supposed to represent is open for debate, there is one thing that you do need to know about the icon. If you are using Kerb Tray to diagnose a problem, then it is possible that you might open Kerb Tray only to find that the icon looks like a question mark rather than appearing the way that you see it in Figure A. If the Kerb Tray icon looks like a question mark, it means that no Kerberos tickets have been obtained since login. Typically this means that a domain controller could not be contacted.

Now that Kerb Tray is running, double-click on the Kerb Tray icon to open the main Kerb Tray interface, as shown in Figure B. As you can see in the figure, the first thing that the interface lists is the Client Principal. The Client Principal is the user who requested the ticket. Just below is a list of the tickets that have been obtained by the client principal.

Figure B

The main Kerb Tray interface lists the tickets that have been obtained, and the user that requested them.

Just below the list of tickets is a series of tabs. The information that's presented on each tab reflects the ticket that is selected in the list above. As you can see in Figure B, the Names tab is selected by default. There are two names that are listed for the selected ticket; the Service Name and the Target Name. The service name is the account principal for the service that was requested. This is different from the client principal. The client principal corresponds to a user while the account principal corresponds to a system function. For example, in Figure B, the service name starts with KRBTGT. This is the Kerberos Ticket Getting Ticket. The Target Name works similarly, but lists the service for which the ticket was requested.

The Times tab, shown in Figure C, displays the period of time for which the selected ticket is valid. As you can see in the figure, the Times tab lists a Start and End time, and a Renew Until time. The start time is the date and time at which the selected ticket initially became valid. The end time is the date and time when the selected ticket expires. If a ticket does expire, it can be automatically renewed until the renew until date.

Figure C

The Times tab displays the period of time for which the selected ticket is valid.

The Flags tab, shown in Figure D, requires a bit more explaining. As you can see in the figure, there are about a dozen different flags that can be associated with a Kerberos ticket.

Figure D

There are about a dozen flags that can be associated with a Kerberos ticket.

These flags can be used to define a ticket's status or its intended usage. Below, I will briefly describe what each of these flags mean:

  • Forwardable: The authentication information can be forwarded. This means that the user will not have to enter a password when using this ticket.
  • Forwarded: When a client presents a ticket to the Ticket Granting Service and the ticket has the Forwardable flag set, then the Ticket Granting Service will set the Forwarded flag.
  • Proxiable: If a ticket is proxiable, it means that the Ticket Getting Service can act on the client's behalf. When a proxiable ticket is sent to the Ticket Getting Service, the Ticket Getting Service knows that the information contained within the ticket can be sent to a remote server, which is then given permission to perform a remote request on the client's behalf. The ticket itself is not retransmitted though. Instead, the Ticket Getting Service will issue a new service ticket for the remote computer on the client's behalf.
  • Proxy: When the Ticket Getting Service sends a new service ticket to a remote server on a client's behalf, the new ticket is marked with the Proxy flag.
  • May Postdate: Normally, when a ticket is issued, it is assumed that the service access authorized by the ticket will occur immediately. This is not always the case though. Sometimes the service access request will need to take place in the future. In these cases, a ticket may be post dated.
  • Post Dated: If a ticket has been post dated, the Post Dated flag is set.
  • Invalid: When a ticket is post dated the Invalid flag is set, rendering the ticket invalid. The ticket must then be sent to the KDC in order to be validated. The KDC will only validate the ticket once the post date has passed.
  • Initial: If the Initial flag is set, then it means that the ticket was not issued as a result of the presentation of a ticket getting ticket. The Initial flag is set for the first service ticket for the KRBTGT. No ticket getting ticket is present when the first service ticket for the KRBTGT is issues, because it is the Ticket Getting Ticket.
  • Renewable: I have already shown you the Renew Until attribute shown on the Times tab. The Renewable flag simply indicates that the ticket is renewable without the need for a new authentication.
  • HW Authenticated: This flag provides Kerberos more information about an initial authentication.
  • Preauthenticated: This is another attribute commonly used with an initial ticket.
  • OK As Delegate: This flag verifies that the server itself is acceptable for delegation. A user's credentials will not be forwarded unless services are flagged as OK As Delegate.

The Encryption Types tab, shown in Figure E, gives you some information regarding the encryption algorithms that are used by the ticket. More specifically, this tab provides you with two pieces of information; the Ticket Encryption Type and the Key Encryption Type. As the names imply, the ticket encryption type field lists the algorithm used to encrypt the Kerberos ticket, while the Key Encryption Type field lists the key encryption type used with the session key.

Figure E

The Encryption Types tab shows how the ticket has been encrypted.

As you can see, the Kerb Tray utility provides you with a wealth of information related to the tickets that have been issued. The Kerb Tray utility isn't solely informational though. If you right-click on the Kerb Tray icon, you will see a short context menu. One of the choices on that menu is Purge Tickets. You can use this option to blow out all of the existing tickets so that you can start fresh with new tickets.

KLIST

The KLIST utility is a command line utility that does a lot of the same things as the Kerb Tray utility does. The syntax for the KLIST utility is a lot simpler than most of the command line based Resource Kit utilities. The syntax looks like this:

KLIST <Tickets | TGT | Purge>

To see how the KLIST utility works, start off by entering the KLIST TICKETS command. When you do, you will see a summary of all of the Kerberos tickets that have been obtained, as shown in Figure F.

Figure F

The KLIST TICKETS command displays a summary of the Kerberos tickets that have been obtained.

As you can see in the figure, the KLIST TICKETS command provides some of the same types of information about tickets as the Kerb Tray utility does, but it does not give you as much detail. The command displays the ticket's encryption type, end time, and renewal time, but that's it. The command doesn't show you things like the ticket's start time or its flags.

You can however get more detailed information about ticket getting tickets by entering the KLIST TGT command. You can see what the results of this command look like in Figure G.

Figure G

The KLIST TGT command displays information related to the ticket getting ticket.

As you can see in the figure, this command displays several pieces of information. Below is a brief summary of what these various pieces of information mean:

  • Service Name: This is the name of the service that the ticket can be used for.
  • Target Name: The Target Name is the name of the service for which the ticket was requested.
  • Full Service Name: The Full Service Name is the name of the account principal for the service.
  • Domain Name: The domain name reflects the name of the domain being serviced.
  • Target Domain Name: The Target Domain name reflects the name of the domain that the ticket is intended for. This is particularly useful information for cross realm tickets which are intended for use elsewhere in the forest.
  • Alt Target Domain Name: The Alt Target Domain Name lists the service context that the ticket was generated under.
  • Ticket Flags: The Ticket Flags field provides a hexadecimal representation of the various flags that apply to the ticket. You will have to use the Kerb Tray tool to see these flags in a readable format.
  • Start Time: The Start Time is the date and time when the ticket became valid.
  • End Time: The End Time reflects the date and time when the ticket expires
  • Renew Until: An expired ticket can be automatically renewed until the Renew Until date.
  • Time Skew: The Time Skew has to do with the difference between the clocks on the client and server computers.

The KLIST PURGE command deletes all of the existing Kerberos tickets. The same task can be performed by right-clicking on the Kerb Tray icon and selecting the Purge Tickets command from the resulting shortcut menu.

Kerberos Monitoring

In this article, I have shown you how to use Kerb Tray and KLIST to help diagnose Kerberos health. Although these utilities are helpful in diagnosing Kerberos related problems, they really aren't practical for general day to day monitoring of Kerberos. There are so many Kerberos transactions that occur over a day's time that monitoring Kerberos is usually impractical.

If you are interested in monitoring Kerberos, then the best advice that I can give you is to try occasionally running Netdiag. Netdiag has a built in Kerberos test. If Kerberos is having problems, then Netdiag will usually tell you about it. To run such a test, just open a Command Prompt window and enter the following command:

NETDIAG /TEST:KERBERSO /DEBUG >TEST.TXT

When you run this command, the test results will be dumped to a text file named TEST.TXT. If you need more information, just add the /V switch to view verbose debugging information.

Keeping Kerberos healthy

As you can see, there are a wide variety of tools that you can use to diagnose Kerberos health issues. In this article series, I have explained how to use the Network Monitor, Kerb Tray, KLIST, and NETDIAG to diagnose Kerberos health issues.

Editor's Picks

Free Newsletters, In your Inbox