Clients are experiencing authentication problems and you've determined it is due to UDP fragmentation of Kerberos traffic. You want to force Kerberos traffic to go over TCP instead.
220.127.116.11 Using a graphical user interface
18.104.22.168 Using a command-line interface
> reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v[RETURN] "MaxPacketSize" /t REG_DWORD /d 1
22.214.171.124 Using VBScript
' This code forces Kerberos to use TCP ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ComputerName>" ' e.g. rallen-w2k3 ' ------ END CONFIGURATION --------- const HKLM = &H80000002 strRegKey = "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" set objReg = GetObject("winmgmts:\\" & strComputer & _ "\root\default:StdRegProv") objReg.SetDwordValue HKLM, strRegKey, "MaxPacketSize", 1 WScript.Echo "Kerberos forced to use TCP for " & strComputer
If you have users that are experiencing extremely slow logon times (especially over VPN) or they are seeing the infamous "There are currently no logon servers available to service the logon request," then they may be experiencing UDP fragmentation of Kerberos traffic. One way to help identify if there is a problem with Kerberos is to have the users run the following command:
> netdiag /test:kerberos
Another source of information is the System event log on the clients. Various Kerberos-related events are logged there if problems with authentication occur.
For more information about Kerberos and UDP, see MS KB 244474 (How to Force Kerberos to Use TCP Instead of UDP).