For troubleshooting purposes, you might want to enable Kerberos event logging on the Key Distribution Center (KDC) machine.

Prerequisites

Back up the Windows registry.

Procedure

  1. Log in to the domain controller that acts as a Key Distribution Center (KDC).
  2. Run the registry editor as an administrator.
  3. In the registry window, expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
  4. If a LogLevel registry key value does not exist, right-click to create it.
    1. Right-click Parameter, select New > DWORD (32-bit) Value, and enter LogLevel.
    2. Select Parameter and in the right pane, double-click LogLevel and enter 1 in the Value data: text box.

    The new setting becomes effective without a reboot on Windows Server 2003 and later.

Results

The Kerberos error event entries are recorded in the System Windows Event Log.

What to do next

To disable Kerberos event logging, delete the LogLevel registry key value or change its value data to 0.