Monday, August 08, 2011

Kerberos : Some useful tools

 

Needed to do some work in this area and found the following extremely useful:

KerbTray is a GUI tool used to display ticket information for a given computer running the Kerberos protocol. You can purge all the Kerberos tickets with this.

KList is a DOS prompt tool used to view and delete the Kerberos tickets granted to the current logon session. It allows you to delete selected Kerberos tickets (as opposed to KerbTray which deletes them all).

In terms of debugging, I found Wireshark to be useful to see what happens on the actual wire. You can sort the packets by using the Kerberos protocol as a filter.

The other alternative is to enable Kerberos event logging. Really simple to do – just one registry setting. Just remember to disable it when you are done.

DelegConfig is an ASP.NET application used to help troubleshoot and configure IIS and Active Directory to allow Kerberos and delegated Kerberos credentials. It can be really useful but has to be setup correctly. Worth running if only to read the comments and explanations.

Enjoy!

No comments: