How to Enable Kerberos Debugging in Windows 2000 (216052)

MORE INFORMATION

Rename the original file and then copy the appropriate checked file to the original's location. Next, restart the computer with LSASS under the kernel debugger. The process for doing this has changed, because Winlogon starts Services.exe and Lsass.exe directly with a fully qualified path to avoid a security hole. To place LSASS under the debugger, use the "Image File Execution Options" method either by running a registry script or setting the following value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe

value: Debugger (REG_SZ)
data: "ntsd -dgG"

Restart and make sure the computer is using the kernel debugger.

Only minimal debug information is output to the debugger if the Lsass.exe process is not joined to the debugger as stated above. The default debugger output appears on the debugger computer.

The debug output should start with descriptions similar to:

248.268> Kerb-Error: "Kerberos specific debug statements"
248.524> KDC-Error: "Key Distribution Center specific debug statements"

To enable a more verbose level, have local symbols available for the checked file, and then use the following commands::

breakin 'lsass pid'
from within the kernel debugger: ed kerberos!kerbinfolevel [hex mask, between zero and FFFFFFFF]
ed kdcsvc!kdcinfolevel [another mask]

How to Enable Kerberos Debugging in Windows 2000 (216052)

SUMMARY

MORE INFORMATION