How to enable logging for Kerberos on Windows 2012 R21

Question

How do I enable AND view logs for Kerberos requests on Windows server 2012?

I have IIS 8.5 Running on Windows server 2012 R2. I want to see success and failure messages related to Kerberos (like you can on other/earlier versions of windows).

I've enabled this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters (LogLevel=1) (and rebooted)

IIS is set to Windows Auth with only "Negotiate" enabled in the providers section.

I'm not seeing Success Audit events in the security log when I Kerberos is successful. I'm not seeing much at all in terms of Kerberos logging. I see an occasional error in the System event log, but nothing else.

Can Kerberos events be gathered and viewed in Windows 2012 R2? If so, how?

Answer 1

You've got the registry entry correct. You don't even need to reboot.

If LogLevel is set to anything non-zero, then all Kerberos errors will be logged in the System event log. Kerberos "successes" are not logged in the same way. (Kerberos errors are things such as AP_ERR_MODIFIED, PRINCIPAL_UNKNOWN, etc.)

The LogLevel setting has no effect on what shows up in the Security event log however.

It has always worked this way. Server 2012 R2 is not different in this regard.

On the other hand, if you're expecting to see more verbose "Audit Success" and "Audit Failure" events for Kerberos ticket activity in your Security event log that you're currently not seeing, you need to set up your Advanced Audit Policy... but I believe most of those events only get logged on KDCs/Domain Controllers. (For example.)

Answer 2

There are a few different subcategories for the logging. You should run auditpol /list /subcategory:* to see them all. To see the configured values run auditpol /get /Category:*.

We were having trouble finding Event ID 4768 (Kerberos ticket) events, but by going through the policies this way we were enable the correct policy to get them showing up in the Security logs again.