JSI Tip 4771. How do I force Kerberos to use TCP instead of UDP in Windows 2000?


RFC 1510 dictates that a client should contact the Key Distribution Center (KDC) with a UDP datagram to port 88 at the KDC's Ip address. This may result in:

Event Log Error 5719 
Source NETLOGON 

No Windows NT or Windows 2000 Domain Controller is available for domain Domain. 
The following error occurred: There are currently no logon servers available to service the logon request.
If you run Netdiag, you receive:
DC list test . . . . . . . . . . . : Failed \[WARNING\] Cannot call DsBind to COMPUTERNAMEDC.domain.com (159.140.176.32).
                                     \[ERROR_DOMAIN_CONTROLLER_NOT_FOUND\] 
Kerberos test. . . . . . . . . . . : Failed \[FATAL\] Kerberos does not have a ticket for MEMBERSERVER$.\]
If the data can be fit in packets that are less than 2,000 bytes, Windows 2000 uses UDP, otherwise it uses TCP. You can alter the behavior:

1. Use Regedt32 to navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters.

NOTE:: You may have to Add the Parameters sub-key.

2. At the Parameters sub-key, Add Value name MaxPacketSize, as a REG_DWORD data type, and set the data value to any Decimal number between 1 and 2000. To prevent UDP from being used, set it to 1.



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish