How to Configure Kerberos Authentication on Windows Server 2012 R2
Kerberos is the default authentication protocol for Windows domain environments and has been so since Windows 2000. It provides mutual authentication, meaning both the client and the server verify each other’s identity, and it uses tickets that are time-limited, eliminating the need to repeatedly present credentials. Understanding how Kerberos works and how to configure it correctly is essential for troubleshooting authentication failures, setting up delegation for multi-tier applications, and securing your domain. This guide covers Kerberos configuration on Windows Server 2012 R2 including ticket lifetimes, delegation, SPN management, and troubleshooting.
Prerequisites
Kerberos configuration is applied primarily through Group Policy and Active Directory object attributes. You need Domain Admin rights for most configuration tasks. Time synchronisation (within 5 minutes) between clients and the KDC is critical — time skew beyond this threshold causes Kerberos to fail. The W32tm service must be correctly configured for time synchronisation.
Import-Module ActiveDirectory
# Check time synchronisation status
w32tm /query /status
w32tm /stripchart /computer:DC-LON-01.contoso.com /samples:5Understanding the Kerberos Authentication Flow
The Kerberos authentication process involves three parties: the client, the Key Distribution Center (KDC, which is the domain controller), and the target service. The process has three stages:
AS Exchange: The client requests a Ticket-Granting Ticket (TGT) from the KDC’s Authentication Service. The KDC verifies the user’s credentials and issues a TGT encrypted with the KDC’s key. TGS Exchange: The client presents the TGT to the KDC’s Ticket-Granting Service and requests a service ticket for the target service. The KDC issues a service ticket encrypted with the target service account’s key. Client/Server Exchange: The client presents the service ticket to the target service, which decrypts it using its own key to verify authenticity.
Configuring Kerberos Policy via Group Policy
Kerberos policy settings are configured in the Default Domain Policy under Computer Configuration > Windows Settings > Security Settings > Account Policies > Kerberos Policy. These settings apply domain-wide and should be carefully considered before modification:
# View current Kerberos policy settings using secedit
secedit /export /cfg C:tempkerb-policy.cfg /areas SECURITYPOLICY
type C:tempkerb-policy.cfg | findstr /i "kerberos|ticket|MaxAge"The configurable Kerberos policy settings and their defaults in Windows Server 2012 R2 are:
Enforce user logon restrictions (enabled by default) — the KDC validates each service ticket request against user rights. Maximum lifetime for service ticket — default 600 minutes (10 hours). Maximum lifetime for user ticket — default 10 hours (TGT lifetime). Maximum lifetime for user ticket renewal — default 7 days. Maximum tolerance for computer clock synchronisation — default 5 minutes.
# Configure Kerberos settings via GPO registry settings
# These are applied via the Default Domain Policy GPO
# Computer Configuration > Security Settings > Account Policies > Kerberos Policy
# MaxServiceAge = 600 (minutes)
# MaxTicketAge = 10 (hours)
# MaxRenewAge = 7 (days)
# MaxClockSkew = 5 (minutes)
# TicketValidateClient = 1 (enabled)Managing Service Principal Names
Kerberos uses SPNs to identify services on the network. When a client requests a service ticket for a target service, it queries AD for the SPN. If no SPN is found or duplicates exist, Kerberos falls back to NTLM (if enabled) or fails entirely:
# List all SPNs in the domain
Get-ADUser -Filter * -Properties ServicePrincipalNames |
Where-Object {$_.ServicePrincipalNames -ne $null -and $_.ServicePrincipalNames.Count -gt 0} |
Select-Object SamAccountName, @{N="SPNs";E={$_.ServicePrincipalNames -join ";"}}
# Find duplicate SPNs (causes Kerberos failures)
setspn -X -F
# Register an HTTP SPN for a web service
setspn -S HTTP/webapp.contoso.com contososvc-webapp
# Register a SQL Server SPN
setspn -S MSSQLSvc/SQLDB01.contoso.com:1433 contososvc-sql-prod
# Delete an incorrect SPN
setspn -D HTTP/wrongname.contoso.com svc-webappConfiguring Kerberos Delegation
Delegation allows a service to use a client’s Kerberos credentials to access another backend service (double-hop authentication). Windows Server 2012 R2 supports three delegation types:
# Configure constrained delegation (Kerberos only - more secure)
Set-ADUser -Identity "svc-webapp" `
-Add @{"msDS-AllowedToDelegateTo" = @(
"MSSQLSvc/SQLDB01.contoso.com:1433"
)}
# Set the delegation type to Kerberos only (not Use Any Authentication Protocol)
# This is done in ADUC > Account tab > Trust this user for delegation to specified services only
# > Use Kerberos only
# Via PowerShell - check the delegation flag
Get-ADUser -Identity "svc-webapp" -Properties TrustedForDelegation,
TrustedToAuthForDelegation, "msDS-AllowedToDelegateTo" |
Select-Object Name, TrustedForDelegation, TrustedToAuthForDelegation,
"msDS-AllowedToDelegateTo"# Configure resource-based constrained delegation (WS2012 R2 feature)
# Allows the TARGET service to specify which accounts can delegate to it
$webAppAccount = Get-ADUser -Identity "svc-webapp"
$sqlAccount = Get-ADUser -Identity "svc-sql-prod"
# Allow svc-webapp to delegate to the SQL service resource
Set-ADUser -Identity $sqlAccount `
-PrincipalsAllowedToDelegateToAccount $webAppAccountKerberos Armoring (FAST)
Kerberos FAST (Flexible Authentication Secure Tunneling) is a Windows Server 2012 R2 feature that protects Kerberos exchanges by tunneling them inside an armored Kerberos message. This prevents offline password attacks against AS-REQ messages and is required for Dynamic Access Control device claims:
# Configure Kerberos armoring via GPO
# Computer Configuration > Policies > Administrative Templates > System > KDC
# KDC support for claims, compound authentication and Kerberos armoring = Enabled
# Set to "Supported" (not Required) for compatibility
# On clients:
# Computer Configuration > Policies > Administrative Templates > System > Kerberos
# Kerberos client support for claims, compound authentication = EnabledTroubleshooting Kerberos Authentication
The klist command displays and purges Kerberos tickets on a Windows system:
# View Kerberos tickets in the current session
klist
# View tickets for a specific logon session
klist sessions
klist tickets
# Purge all Kerberos tickets (force re-authentication)
klist purge
# Purge tickets on a remote machine
Invoke-Command -ComputerName "WEB01" -ScriptBlock { klist purge }# Enable Kerberos event logging on a DC
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsaKerberosParameters" `
-Name "LogLevel" -Value 1 -Type DWord
# Query for Kerberos errors in the Security log
Get-WinEvent -LogName Security -FilterHashtable @{
Id = @(4768, 4769, 4771, 4772)
StartTime = (Get-Date).AddHours(-1)
} | Select-Object Id, TimeCreated, Message | Format-ListCommon Kerberos error codes: 0x6 (bad username), 0x12 (account disabled/expired/restricted), 0x17 (password expired), 0x18 (wrong password), 0x25 (clock skew too large), 0x32 (service not available — often an SPN issue).
Verifying Kerberos is Being Used
# Test Kerberos connectivity to a specific service
# Access a share and verify Kerberos ticket is granted
net use \FILESERVER01Share$ /user:contosojsmith
# Check if Kerberos ticket was issued for the service
klist | findstr "FILESERVER01"
# Use nltest to test DC connectivity
nltest /sc_verify:contoso.comSummary
Kerberos authentication on Windows Server 2012 R2 is a mature, secure protocol that underpins domain authentication. Key configuration tasks include maintaining time synchronisation within the 5-minute tolerance, correctly managing SPNs to ensure Kerberos ticket requests resolve to the correct service account, and configuring constrained delegation appropriately for multi-tier application architectures. Resource-based constrained delegation is a significant enhancement in Windows Server 2012 R2 that moves delegation control to the target service, providing a more scalable and secure model. Use klist for interactive troubleshooting and Security event log analysis for systematic Kerberos failure diagnosis.
