Microsoft KB Archive/216052

= How to Enable Kerberos Debugging in Windows 2000 =

Article ID: 216052

Article Last Modified on 2/20/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q216052



SUMMARY
You can use the checked version of the Kerberos.dll (client) or Kdsvc.dll (domain controller) file and a registry modification to output Kerberos debug statements to a debugger. For optimal reporting, use both checked files on domain controllers.



MORE INFORMATION
Rename the original file and then copy the appropriate checked file to the original's location. Next, restart the computer with LSASS under the kernel debugger. The process for doing this has changed, because Winlogon starts Services.exe and Lsass.exe directly with a fully qualified path to avoid a security hole. To place LSASS under the debugger, use the "Image File Execution Options" method either by running a registry script or setting the following value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe

value: Debugger (REG_SZ)

data: "ntsd -dgG"

Restart and make sure the computer is using the kernel debugger.

Only minimal debug information is output to the debugger if the Lsass.exe process is not joined to the debugger as stated above. The default debugger output appears on the debugger computer.

The debug output should start with descriptions similar to:

248.268> Kerb-Error: "Kerberos specific debug statements"

248.524> KDC-Error: "Key Distribution Center specific debug statements"

To enable a more verbose level, have local symbols available for the checked file, and then use the following commands::
 * 1) breakin 'lsass pid'
 * 2) from within the kernel debugger: ed kerberos!kerbinfolevel [hex mask, between zero and FFFFFFFF]
 * 3) ed kdcsvc!kdcinfolevel [another mask]

Keywords: kbenv kbhowto KB216052

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.