JSI Tip 4771. How do I force Kerberos to use TCP instead of UDP in Windows 2000?

Jerold Schulman

January 30, 2002

1 Min Read
ITPro Today logo in a gray background | ITPro Today


RFC 1510 dictates that a client should contact the Key Distribution Center (KDC) with a UDP datagram to port 88 at the KDC's Ip address. This may result in:

Event Log Error 5719 Source NETLOGON No Windows NT or Windows 2000 Domain Controller is available for domain Domain. The following error occurred: There are currently no logon servers available to service the logon request.

If you run Netdiag, you receive:

DC list test . . . . . . . . . . . : Failed [WARNING] Cannot call DsBind to COMPUTERNAMEDC.domain.com (159.140.176.32).                                     [ERROR_DOMAIN_CONTROLLER_NOT_FOUND] Kerberos test. . . . . . . . . . . : Failed [FATAL] Kerberos does not have a ticket for MEMBERSERVER$.]

If the data can be fit in packets that are less than 2,000 bytes, Windows 2000 uses UDP, otherwise it uses TCP. You can alter the behavior:

1. Use Regedt32 to navigate to:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaKerberosParameters.

NOTE:: You may have to Add the Parameters sub-key.

2. At the Parameters sub-key, Add Value name MaxPacketSize, as a REG_DWORD data type, and set the data value to any Decimal number between 1 and 2000. To prevent UDP from being used, set it to 1.



Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like