Kerberos protocol registry entries and KDC configuration keys in Windows Server 2003 (837361)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

This article contains information about registry entries that relate to the Kerberos version 5 authentication protocol in Microsoft Windows Server 2003.

INTRODUCTION

Kerberos is an authentication mechanism that is used to verify user or host identity. Kerberos is the preferred authentication method for services in Windows Server 2003.

If you are running Windows Server 2003, you can modify Kerberos parameters to help troubleshoot Kerberos authentication issues or to test the Kerberos protocol. To do this, add or modify the registry entries that are listed in the "More Information" section.

For additional information about Kerberos interoperability and authentication, click the following article number to view the article in the Microsoft Knowledge Base:

810755 White Paper: Windows 2000 Kerberos interoperability and authentication

MORE INFORMATION

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Note After you finish troubleshooting or testing the Kerberos protocol, remove any registry entries that you add. Otherwise, performance of your computer may be affected.

Registry entries and values under the Parameters key

The registry entries that are listed in this section must be added to the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Note If the Parameters key is not listed under Kerberos, you must create the key.
  • Entry: SkewTime
    Type: REG_DWORD
    Default Value: 5 (minutes)

    This value is the maximum time difference that is permitted between the client computer and the server that accepts Kerberos authentication. In Windows 2000 checked build version, the default SkewTime value is 2 hours.

    Note A checked build version of the Windows operating system is used in production and testing environments. (A checked build is also known as a debug version.) A checked build has many compiler optimizations turned off. This kind of build helps trace the cause of problems in system software. A checked build turns on many debugging checks in the operating system code and in the system drivers. These debugging checks help the checked build identify internal inconsistencies as soon as they occur. A checked build is larger and is slower to run than an end-user version of Windows.

    An end-user version of Windows is also known as a free build version or a retail-build version. In a free build version, debugging information is removed, and Windows is built with full compiler optimizations. A free build version is faster and uses less memory than a checked build version.
  • Entry: LogLevel
    Type: REG_DWORD
    Default Value: 0

    This value indicates whether events are logged in the system event log. If this value is set to any non-zero value, all Kerberos-related events are logged in the system event log.
  • Entry: MaxPacketSize
    Type: REG_DWORD
    Default Value: 1465 (bytes)

    This value is the maximum User Datagram Protocol (UDP) packet size. If the packet size exceeds this value, TCP is used.
  • Entry: StartupTime
    Type: REG_DWORD
    Default Value: 120 (seconds)

    This value is the time that Windows waits for the Key Distribution Center (KDC) to start before Windows gives up.
  • Entry: KdcWaitTime
    Type: REG_DWORD
    Default Value: 10 (seconds)

    This value is the time Windows waits for a response from a KDC.
  • Entry: KdcBackoffTime
    Type: REG_DWORD
    Default Value: 10 (seconds)


    This value is the time between successive calls to the KDC if the previous call failed.
  • Entry: KdcSendRetries
    Type: REG_DWORD
    Default Value: 3

    This value is the number of times that a client will try to contact a KDC.
  • Entry: DefaultEncryptionType
    Type: REG_DWORD
    Default Value: 23 (decimal) or 0x17 (hexadecimal)

    This value indicates the default encryption type for pre-authentication.
  • Entry: FarKdcTimeout
    Type: REG_DWORD
    Default Value: 10 (minutes)

    This is the time-out value that is used to invalidate a domain controller from a different site in the domain controller cache.
  • Entry: NearKdcTimeout
    Type: REG_DWORD
    Default Value: 30 (minutes)

    This is the time-out value that is used to invalidate a domain controller in the same site in the domain controller cache.
  • Entry: StronglyEncryptDatagram
    Type: REG_BOOL
    Default Value: FALSE

    This value contains a flag that indicates whether to use 128-bit encryption for datagram packets.
  • Entry: MaxReferralCount
    Type: REG_DWORD
    Default Value: 6

    This value is the number of KDC referrals that a client pursues before the client gives up.
  • Entry: KerbDebugLevel
    Type: REG_DWORD
    Default Value: 1 for Windows Server 2003 checked build version, 0 for Windows Server free build version

    This value indicates whether debug logging is on (1) or off (0).
  • Entry: MaxTokenSize
    Type: REG_DWORD
    Default Value: 12000 (Decimal)

    This value is the maximum value of the Kerberos token. Microsoft recommends that you set this value to less than 65535.
  • Entry: SpnCacheTimeout
    Type: REG_DWORD
    Default Value: 15 minutes

    This value is the lifetime of the Service Principal Names (SPN) cache entries. On domain controllers, the SPN cache is disabled.
  • Entry: S4UCacheTimeout
    Type: REG_DWORD
    Default Value: 15 minutes

    This value is the lifetime of the S4U negative cache entries that are used to restrict the number of S4U proxy requests from a particular computer.
  • Entry: S4UTicketLifetime
    Type: REG_DWORD
    Default Value: 15 minutes

    This value is the lifetime of tickets that are obtained by S4U proxy requests.
  • Entry: RetryPdc
    Type: REG_DWORD
    Default Value: 0 (false)
    Possible values: 0 (false) or any non-zero value (true)

    This value indicates whether the client will contact the primary domain controller for Authentication Service Requests (AS_REQ) if the client receives a password expiration error.
  • Entry: RequestOptions
    Type: REG_DWORD
    Default Value: Any RFC 1510 value

    This value indicates whether there are additional options that must be sent as KDC options in Ticket Granting Service requests (TGS_REQ).
  • Entry: ClientIpAddress
    Type: REG_DWORD
    Default Value: 0 (This setting is 0 because of Dynamic Host Configuration Protocol and network address translation issues.)
    Possible values: 0 (false) or any non-zero value (true)

    This value indicates whether a client IP address will be added in AS_REQ to force the Caddr field to contain IP addresses in all tickets.
  • Entry: TgtRenewalTime
    Type: REG_DWORD
    Default Value: 600 seconds

    This value is the time that Kerberos waits before it tries to renew a Ticket Granting Ticket (TGT) before the ticket expires.
  • Entry: AllowTgtSessionKey
    Type: REG_DWORD
    Default Value: 0
    Possible values: 0 (false) or any non-zero value (true)

    This value indicates whether session keys are exported with initial or with cross realm TGT authentication. The default value is false for security reasons.

Registry entries and values under the Kdc key

The registry entries that are listed in this section must be added to the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc

Note If the Kdc key is not listed under Services, you must create the key.
  • Entry: KdcUseClientAddresses
    Type: REG_DWORD
    Default Value: 0
    Possible values: 0 (false) or any non-zero value (true)

    This value indicates whether IP addresses will be added in the Ticket-Granting Service Reply (TGS_REP).
  • Entry: KdcDontCheckAddresses
    Type: REG_DWORD
    Default Value: 1
    Possible values: 0 (false) or any non-zero value (true)

    This value indicates whether IP addresses for the TGS_REQ and the TGT Caddr field will be checked.
  • Entry: NewConnectionTimeout
    Type: REG_DWORD
    Default Value: 50 (seconds)

    This value is the time that an initial TCP endpoint connection will be kept open to receive data before it disconnects.
  • Entry: MaxDatagramReplySize
    Type: REG_DWORD
    Default Value: 1465 (decimal, bytes)

    This value is the maximum UDP packet size in TGS_REP and Authentication Service Replies (AS_REP) messages. If the packet size exceeds this value, the KDC returns a KRB_ERR_RESPONSE_TOO_BIG message that requests that the client switch to TCP.
  • Entry: KdcExtraLogLevel
    Type: REG_DWORD
    Default Value: 2
    Possible values:
    • 1 (decimal) or 0x1 (hexadecimal): Audit SPN unknown errors.
    • 2 (decimal) or 0x2 (hexadecimal): Log PKINIT errors. (PKINIT is an Internet Engineering Task Force (IETF) Internet draft for "Public Key Cryptography for Initial Authentication in Kerberos.")
    • 4 (decimal) or 0x4 (hexadecimal): Log all KDC errors.
    This value indicates what information the KDC will write to event logs and to audits.
  • Entry: KdcDebugLevel
    Type: REG_DWORD
    Default Value: 1 for checked build, 0 for free build

    This value indicates whether debug logging is on (1) or off (0).

    If the value is set to 0x10000000 (hexadecimal) or 268435456 (decimal), specific file or line information will be returned in the edata field of KERB_ERRORS as PKERB_EXT_ERROR errors during a KDC processing failure.
Modification Type:MajorLast Reviewed:8/14/2006
Keywords:kbwinservnetwork kbSecurityServices kbRegistry kbinfo KB837361 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.