How can I avoid Kerberos authentication problems that occur when Kerberos authentication uses UDP?
July 21, 2005
A. Kerberos authentication normally takes place over the UDP protocol. However, Windows Server 2003 decreased the Maximum Transmission Unit (MTU) from 2000 bytes to 1465 bytes. This decrease means that packets might need to be broken into fragments. However, UDP is a connectionless protocol, which means no explicit connection is created in advance between the machines involved. Packets just arrive with no formal relationship to any other packets being sent, and no error, sequence, or flow control exists, as do with a connection-based protocol. Therefore, if the fragments are received out of sequence, the receiving server might drop them. For VPN connections that are affected by this problem, the client machines will hang at the "Loading your personal settings" logon stage.
To address the problem, you can increase the MTU under Windows 2003, or you can force the Kerberos authentication request at the client to use TCP instead of UDP. TCP is a connection-based protocol and won't drop the packets if they're received out of sequence. To increase the MTU, perform these steps:
Start the registry editor (regedit.exe).
Navigate to the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters registry subkey. (If the Parameters subkey doesn't exist, create it.)
From the Edit menu select New, DWORD value.
Enter a name of MaxPacketSize and press Enter.
Double-click the new value, and set it to 1. Click OK.
Restart the computer.
Microsoft also created an .adm template, which you can integrate into Group Policy to help you make this change to all clients in your environment. For more information about the template, see the Microsoft article "How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000" .
About the Author
You May Also Like