How to Configure Kerberos Authentication on Windows Server 2016

How to Configure Windows Server 2016 Kerberos Authentication

Kerberos is the primary authentication protocol used by Windows Server 2016 in Active Directory domain environments. It replaced NTLM as the default authentication method starting with Windows 2000 and provides mutual authentication, stronger security guarantees, and better scalability than its predecessor. Kerberos uses tickets issued by the Key Distribution Center (KDC), a service running on every domain controller, to authenticate users and services without transmitting passwords over the network.

Understanding how to configure and troubleshoot Kerberos is essential for maintaining a healthy Windows Server 2016 environment. Misconfiguration of Kerberos is a common cause of authentication failures, especially when dealing with Service Principal Names (SPNs), delegation settings, and encryption type compatibility.

Step 1: Understand the Kerberos Authentication Flow

Kerberos authentication in a Windows domain involves three parties: the client, the KDC running on the domain controller, and the target service. The process uses three types of tickets: the Ticket Granting Ticket (TGT), service tickets, and session keys. Understanding this flow helps diagnose issues when they arise.

The client first authenticates to the KDC and receives a TGT encrypted with the KDC’s secret key. When the client needs to access a service, it presents the TGT to request a service ticket. The service ticket is encrypted with the service account’s password hash and presented to the target service.

Step 2: Verify Kerberos is Functioning

Use the klist command to view the current Kerberos tickets on a computer. This is the first diagnostic step when troubleshooting authentication problems:

klist

To view tickets for the current user session:

klist tickets

To purge all cached tickets and force re-authentication:

klist purge

Step 3: Configure Kerberos Encryption Types

Windows Server 2016 supports multiple Kerberos encryption types. It is recommended to use AES-256 and AES-128 encryption and disable the weaker RC4/DES types for improved security. Configure encryption types via Group Policy:

Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network security: Configure encryption types allowed for Kerberos

Enable only the following options:

AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future encryption types

To configure this via PowerShell on a domain controller:

Set-GPRegistryValue -Name "Default Domain Policy" `
    -Key "HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemKerberosParameters" `
    -ValueName "SupportedEncryptionTypes" `
    -Type DWord `
    -Value 0x7FFFFFF8

Step 4: Manage Service Principal Names

SPNs are identifiers that associate a service with a specific service account. They are required for Kerberos to generate a service ticket for a given service. Duplicate or missing SPNs are a common cause of Kerberos failures.

List all SPNs for an account:

setspn -L yourdomainsvc_sql

Add an SPN for a service:

setspn -A MSSQLSvc/sqlserver01.yourdomain.com:1433 YOURDOMAINsvc_sql

Check for duplicate SPNs across the domain:

setspn -X

Step 5: Configure Kerberos Delegation

Kerberos delegation allows a service to impersonate a user when connecting to another backend service. Windows Server 2016 supports three types of delegation: unconstrained, constrained, and resource-based constrained delegation (RBCD).

To configure constrained delegation for a service account using PowerShell:

Set-ADUser -Identity "svc_webapp" `
    -TrustedForDelegation $false

Set-ADAccountControl -Identity "svc_webapp" `
    -TrustedToAuthForDelegation $true

Set-ADUser -Identity "svc_webapp" -Add @{
    'msDS-AllowedToDelegateTo' = @(
        'MSSQLSvc/sqlserver01.yourdomain.com:1433',
        'MSSQLSvc/sqlserver01.yourdomain.com'
    )
}

Step 6: Adjust Kerberos Policy Settings

Kerberos ticket lifetime and renewal settings are configured in the Default Domain Policy. Open GPMC and navigate to:

Computer Configuration > Windows Settings > Security Settings > Account Policies > Kerberos Policy

Default values and recommended settings:

Enforce user logon restrictions: Enabled
Maximum lifetime for service ticket: 600 minutes (10 hours)
Maximum lifetime for user ticket: 10 hours
Maximum lifetime for user ticket renewal: 7 days
Maximum tolerance for computer clock synchronization: 5 minutes

Step 7: Troubleshoot Kerberos Failures

Kerberos authentication failures are logged in the System and Security event logs. Key event IDs to monitor:

Event ID 4768 - Kerberos authentication ticket (TGT) was requested
Event ID 4769 - Kerberos service ticket was requested
Event ID 4771 - Kerberos pre-authentication failed
Event ID 4772 - Kerberos authentication ticket request failed

Use the nltest utility to verify domain controller connectivity and Kerberos health:

nltest /sc_verify:yourdomain.com
nltest /dsgetdc:yourdomain.com /kdc /force

Kerberos clock skew is one of the most common causes of authentication failures. Ensure all computers are synchronized to the same time source. The domain hierarchy handles this automatically when W32tm is properly configured, with domain controllers pointing to reliable NTP servers and all domain members synchronizing with domain controllers.