How to troubleshoot Kerberos and NTLM authentication

You want to understand how Kerberos and NTLM authentication work, how to troubleshoot it, and how DNS host name resolution affects it.

Resolution

On the PDQ server, by default some Kerberos logs will be captured, such as "KRB_AP_ERR_MODIFIED", but you can enable the Kerberos event logging to capture more errors.

How to enable Kerberos event logging

On the PDQ server, you can enable the NTLM outgoing traffic audit log, to capture events every time NTLM is used to connect to a computer.

How to audit NTLM outgoing traffic

Below are some great Microsoft articles that explain how Kerberos and NTLM work, and how to troubleshoot them in your environment.

How NTLM works

How Kerberos works

Kerberos issues examples

How to troubleshoot Kerberos authentication issues with a misconfigured DNS environment ("KDC_ERR_S_PRINCIPAL_UNKNOWN")

How to troubleshoot Kerberos authentication at the network level

How to troubleshoot Kerberos SPN Issues Part 1

How to troubleshoot Kerberos SPN Issues Part 2

How to troubleshoot Kerberos SPN Issues Part 3

Was this article helpful?
Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.