Capture Auth Packes with WireSharkΒΆ

Sometimes it is required by to capture the packets on the wire to better understand what is going on and why authentication is failing. Please use the following steps to make a capture.

  1. Ensure time is synced between your domain joined machine, domain controller and proxy that fails authentication.

  2. Ensure your browser points to your proxy by FQDN and not by IP address.

  3. Close all browsers on your workstation

  4. In command prompt on your workstation type klist purge. It will delete all your Kerberos tickets. If you type klist again it should say Cached Tickets: (0).

  1. Choose Start, type Credentials Manager and clear every stored records for your proxy in Windows Credentials.

../../../_images/creds12.png ../../../_images/creds22.png
  1. Start Wireshark on your workstation, open browser and type

  2. After connection is finished (successfully or not), close the browser, stop wireshark capture, save it and zip it.

  3. Send the archive to