Kerberos is the default protocol for network authentication in Windows Server 2003. The Kerberos authentication protocol provides a mechanism for mutual authentication between a client and a server, or between one server and another, before a network connection is opened between them. It is more flexible and efficient than NTLM, and more secure. However, if Kerberos authentication fails between computers in a domain, we may encounter problems in DC replication, sharing resources, logon or other operations.
We have recently encountered a hot issue regarding Kerberos authentication in case review. This issue can occur in various scenarios:
▪ Users could not logon to the Office Communicator, Exchange Server and to their intranet Website. For instance, users are getting prompted for authentication credentials on random machines with Outlook running. After entering credentials they are able to login and Outlook works fine
▪ In a domain environment, a domain controller cannot replicate other DCs and reports errors
▪ In an OU that contains Windows member servers running Terminal Services in Remote Admin Mode, if the user is created in the OU where the member servers reside they are unable to logon via RDP
▪ Group Policy application is failing or there are 1030 and 40961 Events on the clients
▪ A computer hangs at Windows Splash Screen when trying to boot in a domain.
▪ Unable to promote a Windows Server 2003 computer as an additional DC in a domain
▪ Some users who are logging on to the domain via the VPN cannot map drives
If you run Netdiag, it may return the following 2 errors:
DC list test . . . . . . . . . . . : Failed [WARNING] Cannot call DsBind to COMPUTERNAMEDC.domain.com (123.456.789.00). [ERROR_DOMAIN_CONTROLLER_NOT_FOUND]
Kerberos test. . . . . . . . . . . : Failed [FATAL] Kerberos does not have a ticket for MEMBERSERVER$.]
Why did this happen?
The above issues may be related to Kerberos authentication. This issue happens mostly in a network with VPN connection. For example, when the child domain DC tried to replicate from the root domain DC, it will contact the root domain DC to request Kerberos ticket for authentication. But the ticket transferred from the root domain DC, so the child domain DC assumed there was no DC available in the root domain DC. The result was that replication failed. In this case, Kerberos errors were causing the problem, possibly because Kerberos tickets were too large for reasons such as the user being a member of too many groups.
Kerberos uses connectionless UDP datagram packets by default. Depending on a variety of factors including SIDHistory and group membership some accounts will have larger Kerberos authentication packet sizes. Depending on the VPN hardware configuration, these larger packets need to be fragmented when going through a VPN. Since UDP is a connectionless protocol, however, if fragmented UDP packets arrive at the destination out of order they will be dropped. If we change MaxPacketSize to a value of 1, we force the client to send Kerberos traffic using TCP through the VPN tunnel. A connection-oriented TCP is a more reliable transport across the VPN tunnel even if the packets are dropped, the server will re-request the missing data packet.
What if I don't want to use UDP? What are my protocol options?
If you don’t use UDP, then you must use TCP. Let's change protocols and see what happens.
In order to force Kerberos to use TCP, you must change MaxPacketSize to 1. To do this, follow these steps:
1. Start Registry Editor.
2. Locate and then click the following registry subkey:
Note If the Parameters key does not exist, create it now.
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type MaxPacketSize , and then press ENTER.
5. Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
6. Quit Registry Editor.
7. Restart your computer.
So did it work? Absolutely!
Here we list some more articles related to MaxPacketSize for reference:
295582 You receive a "Directory Service failed to replicate the partition" error message when you try to promote a member server to a domain controller over a VPN connection
830077 Replication errors occur when you use Active Directory Replication Monitor in Microsoft Windows 2000
244474 How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000
Author: Pearson Peng
Pingback from Active Directory Replication Monitor