Thursday, 20 September 2012

Troubleshooting Kerberos


Here are some tools that can be used to diagnose Kerberos issues.

KerbTray

http://www.microsoft.com/en-us/download/details.aspx?id=23018
This is the main tool to use on Windows to display ticket information for a given computer running the Kerberos protocol. It displays information from the Windows ticket cache.

Setspn

http://www.microsoft.com/en-us/download/details.aspx?id=25233
http://support.microsoft.com/kb/326985
This command-line tool allows you to manage the Service Principal Names (SPN) property for an Active Directory™ directory service account. SPNs are used to locate a target principal name for running a service.
Useful when creating test accounts for use with Kerberos on Windows.

Process Monitor

http://technet.microsoft.com/en-us/sysinternals/bb896645
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

Process Explorer

http://technet.microsoft.com/en-us/sysinternals/bb896653
Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded.
The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.
The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work.
You should be able to see what security tokens a process has by using properties on a process and clicking the security tab. (Make sure you are running process explorer as administrator.)

Kinit

http://docs.oracle.com/javase/1.4.2/docs/tooldocs/linux/kinit.html
This allows you to authenticate with a principal and generate tickets.
This can be used on Windows and linux. Its use on Windows is limited however as it works off its own file cache, not the Windows ticket cache.

Klist

http://docs.oracle.com/javase/7/docs/technotes/tools/windows/klist.html
http://technet.microsoft.com/en-us/library/hh134826(v=ws.10).aspx
View and deleting the Kerberos tickets granted to the current logon session.
This can be used on windows and linux. Its use on windows is limited however as it works off its own file cache, not the Windows ticket cache.

Enable Kerberos Logging

http://support.microsoft.com/kb/262177
Windows offers the capability of tracing detailed Kerberos events through the event log mechanism. You can use this information too troubleshoot Kerberos. This article describes how to enable Kerberos event logging.

Insight for Active Directory v1.01

http://technet.microsoft.com/en-us/sysinternals/bb897539
ADInsight is an LDAP (Light-weight Directory Access Protocol) real-time monitoring tool aimed at troubleshooting Active Directory client applications. Use its detailed tracing of Active Directory client-server communications to solve Windows authentication, Exchange, DNS, and other problems.
ADInsight uses DLL injection techniques to intercept calls that applications make in the Wldap32.dll library, which is the standard library underlying Active Directory APIs such LDAP API and ADSI . Unlike network monitoring tools, ADInsight intercepts and interprets all client-side APIs, including those that do not result in transmission to a server. ADInsight monitors any process into which it can load it’s tracing DLL, which means that it does not require administrative permissions, however, if run with administrative rights, it will also monitor system processes, including windows services.

LogMan

http://technet.microsoft.com/en-us/library/cc753820(v=ws.10).aspx
Logman creates and manages Event Trace Session and Performance logs and supports many functions of Performance Monitor from the command line.  Filters can be added to log Kerberos events.

MIT Kerberos Client

http://web.mit.edu/kerberos/dist/
Network Identity Manager (NetIdMgr) is a graphical tool designed to simplify the management of network identities and their credentials which are used by network authentication protocols while providing secure access to network services.
When NetIDMgr is used with Kerberos v5 each network identity is a unique Kerberos principal name and the credentials are Kerberos v5 tickets. Kerberos v5 tickets can be used by NetIDMgr to obtain Andrew File System (AFS) tokens and X.509 public key certificates if the appropriate plug-ins are installed.

DelegConfig

http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1434
This is an ASP.NET application used to help troubleshoot and configure IIS and Active Directory to allow Kerberos and delegating Kerberos credentials.

Kerberos SPN Viewer

http://blogs.msdn.com/b/sansom/archive/2009/10/12/kerberos-spn-viewer-and-helper-tool-sample.aspx
Simplify listing the ServicePrincipalName (SPN) and an integrated helper tool which can help us find out what SPN should we set based on the configuration that we are using.

WireShark

http://www.wireshark.org/
Open source packet sniffer for Windows and Unix.

Microsoft Network Monitor

http://www.microsoft.com/en-us/download/details.aspx?id=4865
Microsofts packet sniffer, allows capturing and protocol analysis of network traffic.

Tokensz

http://www.microsoft.com/en-us/download/details.aspx?id=1448
This tool will compute the maximum token size and is used to test whether a system may exhibit the issue described in KB article 327825.

Ldp

http://technet.microsoft.com/en-us/library/cc772839(v=ws.10).aspx
http://support.microsoft.com/kb/224543
This GUI tool is a Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory. LDP is used to view objects stored in Active Directory along with their metadata, such as security descriptors and replication metadata.

Active Directory Users and Computers

http://www.microsoft.com/en-us/download/details.aspx?id=7887
http://technet.microsoft.com/en-us/library/cc754217.aspx
Active Directory® Users and Computers is a Microsoft Management Console (MMC) snap-in that you can use to administer and publish information in the directory.

NTP commands

These can be useful if you are experiencing NTP issues, this can be common with some virtual machines.
w32tm /resync
net start w32time

Troubleshooting Kerberos Problems

http://technet.microsoft.com/en-us/library/cc786325(v=ws.10).aspx
http://www.microsoft.com/en-us/download/details.aspx?id=21820
http://blogs.technet.com/b/askds/archive/2008/05/14/troubleshooting-kerberos-authentication-problems-name-resolution-issues.aspx

No comments:

Post a Comment