Using TCP for Kerberos Transactions

By default, and in compliance with the relevant RFC, a Windows machine will attempt to use UDP for almost all Kerberos authentication transactions. (Kerberos is the default type for use with Active Directory).  Only when a packet is larger than 2,000 bytes will TCP be used.

Around Christmas of 2003 and now, in the Fall of 2004, there have been reports of long login times and reports of unpredictable and/or erratic Group Policy processing.

Both of these problems seem to be related to UDP.  Network Operations is attempting to determine if this in fact the case, and what to do about it if it is.

But as a temporary (and perhaps permanent) fix, it is possible to convince Windows to use TCP for all Kerberos transactions.  When this is done, the above problems seem to go away, lending credence to the supposition that UPD is in some way involved.

Quite simply, a single registry entry needs to be either created or its value modified.  That key is

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

and the value is

MaxPacketSize

MaxPacketSize is a DWord, and, when set, determines the size of the packet that will cause Windows to use TCP instead of UDP for Kerberos authentication.  Setting the value to 1 will cause Windows to use only TCP.

There are several ways to accomplish this.  Certainly, going to each machine, logging in with an administrator account and manually running REGEDIT is one of them.  There are a few others.

1. Again logging in as an admin (at each workstation), download and double-click the UseTCPForKerberos.REG file located here.  This will automatically add the appropriate key and value (without the worry of a spelling mistake), and a second key that will enable verbose logging of Kerberos errors in the Application Event Log.

2. Send these settings automatically to all your computers by a Group Policy.  I have created such a policy under the name of

SFU Use TCP for Kerberos

which again, sets the MaxPacketSize to 1, and enables verbose Kerberos logging.

There is a possible Catch-22 here, though, in that if a machine is repeatedly not getting its Policies, it's not going to get this one either.  That is, it's not going to get the Policy that allows it to get Policies.  However, the Policy problems seem random, and so enabling this GPO will eventually cause the Registry entries to be added.

3. Create your own GPO, possibly changing the packet size at which TCP is used instead of UDP, possibly not enabling the verbose logging.  It's probably easiest to do this by using a template; the same one that I used to create my Policy UseTCPForKerberos.ADM can be downloaded.   Again, the "Can't get there from here" problem listed in option 2 is present with this option.
 

Notes:  There are two minor issues with using a GPO to send out these settings.

1. They are considered by Windows to be preferences as opposed to policies, and as such behave differently in one key way than most settings; when a policy is removed, the settings defined in that policy revert to their pre-application state; the policy is undone.  Preferences are not undone, though.  To undo the registry settings defined here, another policy would be required, setting the MaxPacketSize to 2000 and the logging to 0.

2. You cannot, by default, see these settings in your Group Policy editor, even after adding the template.  You have to

Win2k:     Disable Show Policies Only on the View menu
WinXP:    Deselect Only show policy settings that can be fully managed under View - Filtering
 

After making this change, the workstation will need to be rebooted at least once. (The setting is only read at startup).  Once set, the workstation may need to have its policies reapplied.  The easiest way to do this is from a command prompt.

Win2k:  Secedit /refreshpolicy machine_policy /enforce
            Secedit /refreshpolicy user_policy /enforce

WinXP:    Gpupdate /force

Both will likely require yet another reboot.
 

If the above setting fixes things for you, or does not fix things for you, please get back to me.

Alan