How do I enable AND view logs for Kerberos requests on Windows server 2012?
I have IIS 8.5 Running on Windows server 2012 R2. I want to see success and failure messages related to Kerberos (like you can on other/earlier versions of windows).
I've enabled this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters (LogLevel=1) (and rebooted)
IIS is set to Windows Auth with only "Negotiate" enabled in the providers section.
I'm not seeing Success Audit events in the security log when I Kerberos is successful. I'm not seeing much at all in terms of Kerberos logging. I see an occasional error in the System event log, but nothing else.
Can Kerberos events be gathered and viewed in Windows 2012 R2?
If so, how?
Best Answer
You've got the registry entry correct. You don't even need to reboot.
If
LogLevelis set to anything non-zero, then all Kerberos errors will be logged in the System event log. Kerberos "successes" are not logged in the same way. (Kerberos errors are things such asAP_ERR_MODIFIED,PRINCIPAL_UNKNOWN, etc.)The
LogLevelsetting has no effect on what shows up in the Security event log however.It has always worked this way. Server 2012 R2 is not different in this regard.
On the other hand, if you're expecting to see more verbose "Audit Success" and "Audit Failure" events for Kerberos ticket activity in your Security event log that you're currently not seeing, you need to set up your Advanced Audit Policy... but I believe most of those events only get logged on KDCs/Domain Controllers. (For example.)