Continuing my tussle with setting up Kerberos authentication in the sharepoint environment, I ran into another issue today.

Windows has a rule that causes it to fall back to NTLM authentication if there is an issue with the Kerberos authentication. So I had to validate that we were indeed using Kerberos as the authentication method, and in order to do that, I had to enable logon events on the servers.

To get to the Local Security Settings, go to Start -> Run (or just press <Windows Key>+R)
type secpol.msc
Navigate to Security Settings -> Local Policies -> Audit Policy

Local Security Policy Window

Local Security Policy Window

 The events you want to log are:

Account logon events: This event is audited to see each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated in the domain controller’s Security log when a domain user account is authenticated on a domain controller. These events are separate from Logon events, which are generated in the local Security log when a local user is authenticated on a local computer. Note: Account logoff events are not tracked on the domain controller.

Logon events: This event is audited to see when someone has logged on or off your computer (either while physically at your computer or by trying to log on over a network).

Double-click Audit account logon events to bring up the window to change Security Settings
I found that the Properties window had the Success and Failure options greyed out

Audit Logon Events Properties (Disabled)

Audit Logon Events Properties (Disabled)

 I was logged in as a Local Administrator, but it just wouldn’t let me enable those options.
Apparently, the Group Policy at the Domain Level takes precedence over Local Security Settings. And since I do not have Domain Administrator permissions, I could not login to the Domain Controller to make any changes.

The next step was to manually override the domain level Group Policy with the caveat that it will only last for 2 hrs as the domain controller refreshes the policies every 120-min.

Open Command Prompt: Start -> Run (or just press <Windows Key>+R)
type cmd
Change directory: cd C:\Windows\Security\Database

Export the existing security policy. This extracts all policies from the database and puts them in the Security Template file. Use the following command:
secedit /export /db SecurityDBName /cfg SecurityTemplateFile

Edit the Security Template file
notepad SecurityTemplateFile

Look for [AuditLogonEvents], change the value to 3 (for both Logon and Logoff to be audited)
Look for [AuditAccountLogon], change the value to 3 (for both Logon and Logoff to be audited)

Validate the Security template file thus created
secedit /validate SecurityTemplateFile

If everything checks out okay, make the changes to the security policy as:
secedit /configure /db SecurityDBName /cfg SecurityTemplateFile /overwrite

And you should be in business, with both options checked (though still greyed out)

Audit Logon Events Properties (Enabled)

Audit Logon Events Properties (Enabled)

Add to FacebookSlashDot ItAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine