Author: Shelly Bird 

Credit:  Syed Ismail, Ben Christenbury

Applies to:  Vista SP1 alone.

Setting:

Microsoft Network Client: Digitally Sign communications (always) is set to Enabled in FDCC.

 

History:

The server side settings are always ON (w2k3 SP2):

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters

                EnableSecuritySignature [REG_DWORD] = 0x1

                RequireSecuritySignature [REG_DWORD] = 0x1

 

Client-side settings (Vista SP1) for FDCC:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters

                EnableSecuritySignature [REG_DWORD] = 0x1

                RequireSecuritySignature [REG_DWORD] = 0x1

 

Issue:

Under this condition, GPO processing for the computer account fails, both at startup and every time gpupdate.exe is run.  There will be a 1058 error in Event Viewer:

 

3/19/2008          4:55:10 PM       1          0          1058     Microsoft-Windows-GroupPolicy            NT AUTHORITY\SYSTEM                        SDC-211.ITL.local         

The processing of Group Policy failed. Windows attempted to read the file \\ITL.local\SysVol\ITL.local\Policies\{1B71C87D-FAB7-4FE1-BEAF-07F846DE3E1D}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:  

a) Name Resolution/Network Connectivity to the current domain controller.  

b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).  

c) The Distributed File System (DFS) client has been disabled. 

Detail: The account is not authorized to log in from this station

 

Result:  The Group Policy Engine is unable to get the GPO version from the DC.

 

As soon as RequireSecuritySignature is set to 0 (Disabled) on the client and the client is rebooted, GPO processing works fine.

 

Note that this issue does not happen in Vista Runtime (pre-SP1).  Previously, if the server and client were coordinated to be Enabled for this setting, no issues arose, except possibly with non-Microsoft SMB signing systems.

 

Resolution:  There is a QFE that can be requested from Microsoft Premier and which we have tested and confirmed eliminates this issue.  We highly recommend obtaining this QFE for any Vista SP1 implementations which are launched with the FDCC settings.  We hope it will shortly be available either as a public update or in the next Service Pack. 

 

For more information, please see the following KB article:

 

http://support.microsoft.com/kb/950876/en-us