Dan Barvitsky

Bitten by Kerberos

The Kerberos, or Cerberus in Latin, a multithreaded multi-headed dog with tail of serpent heads, the hellhound, who used to guard the gates of Hades behind the river of Styx to keep the dead ancient Greek people dead in the kingdom of Shadows.

Once Kerberos was captured by Hercules and then brought to Eurystheus, where his DNA has been extracted and printed on an amphora. Somewhere around 1980 the amphora got into the hands of MIT researchers, who deciphered the inscriptions and reverse-engineered them into an authentication protocol. There is a legend, that time-to-time spirit of Cerberus comes to life, raises from the informational space and tortures the developers and architects, who did not pay enough attention to his persona back in the college.

To my greater sorrow, I can hereby confirm the above legend and provide the links for those in brave spirit who dare to repeat my path:

• Kerberos Technical Supplement for Windows – start here
• Configuring Kerberos for SharePoint 2007 – this is how I got into it
• Kerberos authentication and troubleshooting delegation issues – read this next for clarification on different names and short tool reference
• Overview of setspn command – a very useful tool to deal with Kerberos config, part of Windows Server 2003 Resource Kit tools
• EventID.NET to help troubleshoot Kerberos errors in Windows log

Here are some tricks to ease the pain of the Kerberos bite:

• To see what the hell is going on in your Active Directory, use the ldifde -f export.txt command. It will save entries of your AD into a semi-readable file. To narrow down the search you may use various options, such as “–d” to specify the root of directory or “-r” to filter the entries;
• Use “klist tickets” or kerbtray tool to display current Kerberos tickets on your desktop (or server). Note that tool only shows tickets for the desktop it runs on. It is located in C:\Program Files\Windows Resource Kits\Tools directory, if you need to copy it;