Microsoft Reduce Customer Effort Center

Our team drives product feedback based on solid data, it drives proactive issue prevention and ultimately, drives improvements around products based on customer feedback.

Blogs

Hot issue Errors related to Kerberos authentication

  • Comments 2
  • Likes

Kerberos is the default protocol for network authentication in Windows Server 2003. The Kerberos authentication protocol provides a mechanism for mutual authentication between a client and a server, or between one server and another, before a network connection is opened between them. It is more flexible and efficient than NTLM, and more secure. However, if Kerberos authentication fails between computers in a domain, we may encounter problems in DC replication, sharing resources, logon or other operations.

We have recently encountered a hot issue regarding Kerberos authentication in case review. This issue can occur in various scenarios:

         Users could not logon to the Office Communicator, Exchange Server and to their intranet Website. For instance, users are getting prompted for authentication credentials on random machines with Outlook running. After entering credentials they are able to login and Outlook works fine

         In a domain environment, a domain controller cannot replicate other DCs and reports errors

         In an OU that contains Windows member servers running Terminal Services in Remote Admin Mode, if the user is created in the OU where the member servers reside they are unable to logon via RDP

         Group Policy application is failing or there are 1030 and 40961 Events on the clients

         A computer hangs at Windows Splash Screen when trying to boot in a domain.

         Unable to promote a Windows Server 2003 computer as an additional DC in a domain

         Some users who are logging on to the domain via the VPN cannot map drives

If you run Netdiag, it may return the following 2 errors: 

Errors:

DC list test . . . . . . . . . . . : Failed [WARNING] Cannot call DsBind to COMPUTERNAMEDC.domain.com (123.456.789.00). [ERROR_DOMAIN_CONTROLLER_NOT_FOUND]

Kerberos test. . . . . . . . . . . : Failed [FATAL] Kerberos does not have a ticket for MEMBERSERVER$.]

Why did this happen?

The above issues may be related to Kerberos authentication. This issue happens 
mostly in a network with VPN connection. For example, when the child domain DC tried to
replicate from the root domain DC, it will contact the root domain DC to request Kerberos
ticket for authentication. But the ticket transferred from the root domain DC, so the child
domain DC assumed there was no DC available in the root domain DC. The result was
that replication failed. In this case, Kerberos errors were causing the problem, possibly
because Kerberos tickets were too large for reasons such as the user being a member
of too many groups.
 
Kerberos uses connectionless UDP datagram packets by default. Depending on a variety 
of factors including SIDHistory and group membership some accounts will have larger
Kerberos authentication packet sizes. Depending on the VPN hardware configuration,
these larger packets need to be fragmented when going through a VPN. Since UDP is a
connectionless protocol, however, if fragmented UDP packets arrive at the destination
out of order they will be dropped. If we change MaxPacketSize to a value of 1, we
force the client to send Kerberos traffic using TCP through the VPN tunnel. A
connection-oriented TCP is a more reliable transport across the VPN tunnel even if the
packets are dropped, the server will re-request the missing data packet.

What if I don't want to use UDP?  What are my protocol options?

If you don’t use UDP, then you must use TCP. Let's change protocols and see what happens.

Fix:

In order to force Kerberos to use TCP, you must change MaxPacketSize to 1. To do this, follow these steps:

1.       Start Registry Editor.

2.       Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters

Note If the Parameters key does not exist, create it now.

3.       On the Edit menu, point to New, and then click DWORD Value.

4.       Type MaxPacketSize , and then press ENTER.

5.       Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.

6.       Quit Registry Editor.

7.       Restart your computer. 

So did it work?  Absolutely!


Here we list some more articles related to MaxPacketSize for reference:

295582          You receive a "Directory Service failed to replicate the partition" error message when you try to promote a member server to a domain controller over a VPN connection

http://support.microsoft.com/default.aspx?scid=kb;EN-US;295582

830077          Replication errors occur when you use Active Directory Replication Monitor in Microsoft Windows 2000

http://support.microsoft.com/default.aspx?scid=kb;EN-US;830077 

244474          How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000

http://support.microsoft.com/default.aspx?scid=kb;EN-US;244474

-End- 

Author: Pearson Peng

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment