How to Enable Extended Logging of SPNs Used During Connections
Purpose
This article documents how to enable the logging of Service Principal Names (SPNs) used during Kereberos-based connections.
Use Case
When troubleshooting Kerberos authentication, it may be helpful to have this information recorded in the Veeam Backup & Replication logs. However, by default, the Service Principal Names (SPNs) are not recorded in the logs.
Solution
Service Restart Required
Enabling Kerberos Extended Logging requires that all Veeam services on the Veeam Backup Server and associated Microsoft Windows component servers be restarted. Please plan accordingly.
To enable extended logging of SPNs used during connections, create the following registry value on the Veeam Backup Server and all servers listed under Backup Infrastructure > Microsoft Windows.
Key Location: HKLM\SOFTWARE\Veeam\Veeam Backup and Replication\
Value Name: KerberosExtendedLogging
Value Type: DWORD (32-Bit) Value
Value Data: 1
PowerShell cmdlet to Enable KerberosExtendedLogging
After the registry value has been created, either:
- Reboot each of the Windows servers where the registry value was created.
or - Restart all Veeam services on those Windows servers where there registry value was created.
This PowerShell command will stop and restart all services that start with Veeam. If other Veeam products are installed (e.g., Veeam ONE, Veeam Backup for Microsoft 365, or Veeam Agent for Microsoft Windows), this command will also stop their service.
After Kerberos Authentication troubleshooting is completed, disable KerberosExtendedLogging to prevent excessive data being written to the Veeam Backup & Replication log files.
To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.