Recipe 14.18 Forcing Kerberos to Use TCP

14.18.1 Problem

Clients are experiencing authentication problems and you've determined it is due to UDP fragmentation of Kerberos traffic. You want to force Kerberos traffic to go over TCP instead.

14.18.2 Solution

14.18.2.1 Using a graphical user interface

14.18.2.2 Using a command-line interface

> reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v[RETURN]  "MaxPacketSize" /t REG_DWORD /d 1

14.18.2.3 Using VBScript

' This code forces Kerberos to use TCP  ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ComputerName>"  ' e.g. rallen-w2k3 ' ------ END CONFIGURATION --------- const HKLM = &H80000002 strRegKey = "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" set objReg = GetObject("winmgmts:\\" & strComputer & _                        "\root\default:StdRegProv") objReg.SetDwordValue HKLM, strRegKey, "MaxPacketSize", 1 WScript.Echo "Kerberos forced to use TCP for " & strComputer

14.18.3 Discussion

If you have users that are experiencing extremely slow logon times (especially over VPN) or they are seeing the infamous "There are currently no logon servers available to service the logon request," then they may be experiencing UDP fragmentation of Kerberos traffic. One way to help identify if there is a problem with Kerberos is to have the users run the following command:

> netdiag /test:kerberos

Another source of information is the System event log on the clients. Various Kerberos-related events are logged there if problems with authentication occur.

For more information about Kerberos and UDP, see MS KB 244474 (How to Force Kerberos to Use TCP Instead of UDP).