Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
How to force Kerberos to use TCP instead of UDP in Windows
Article ID: 244474 - View products that this article applies to.
This article was previously published under Q244474
The Windows Kerberos authentication package is the default authentication package in Windows Server 2003, in Windows Server 2008, and in Windows Vista. It coexists with the NTLM challenge/response protocol and is used in instances where both a client and a server can negotiate Kerberos. Request for Comments (RFC) 1510 states that the client should send a User Datagram Protocol (UDP) datagram to port 88 at the IP address of the Key Distribution Center (KDC) when a client contacts the KDC. The KDC should respond with a reply datagram to the sending port at the sender's IP address. The RFC also states that UDP must be the first protocol that is tried.
Collapse this tableExpand this table
A limitation on the UDP packet size may cause the following error message at domain logon:
Additionally, the Netdiag tool may display the following error messages:
Event Log Error 5719
No Windows NT or Windows 2000 Domain Controller is available for domain Domain. The following error occurred:
There are currently no logon servers available to service the logon request.
Error message 1
DC list test . . . . . . . . . . . : Failed [WARNING] Cannot call DsBind to COMPUTERNAMEDC.domain.com (126.96.36.199). [ERROR_DOMAIN_CONTROLLER_NOT_FOUND]
Error message 2
The Windows XP event logs which are symptoms of this issue are SPNegotiate 40960 and Kerberos 10.
Kerberos test. . . . . . . . . . . : Failed [FATAL] Kerberos does not have a ticket for MEMBERSERVER$.]
To have us fix the problem for you, go to the "Fix it for me" section. If you prefer to fix this problem yourself, go to the "Let me fix it myself" section.
Fix it for meTo fix this problem automatically, click the Fix it button or link. Click Run in the File Download dialog box, and follow the steps in the Fix it wizard.
Fix this problem
Microsoft Fix it 50563
Then, go to the "Did this fix the problem?" section.
Let me fix it myselfImportant This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
Important If you use UDP for Kerberos, your client computer may stop responding (hang) when you receive the following message: By default, the maximum size of datagram packets for which Windows Server 2003 uses UDP is 1,465 bytes. For Windows XP and for Windows 2000, this maximum is 2,000 bytes. Transmission Control Protocol (TCP) is used for any datagrampacket that is larger than this maximum. The maximum size of datagram packets for which UDP is used can be changed by modifying a registry key and value.
By default, Kerberos uses connectionless UDP datagram packets. Depending on a variety of factors including security identifier (SID) history and group membership, some accounts will have larger Kerberos authentication packet sizes. Depending on the virtual private network (VPN) hardware configuration, these larger packets have to be fragmented when going through a VPN. The problem is caused by fragmentation of these large UDP Kerberos packets. Because UDP is a connectionless protocol, fragmented UDP packets will be dropped if they arrive at the destination out of order.
If you change MaxPacketSize to a value of 1, you force the client to use TCP to send Kerberos traffic through the VPN tunnel. Because TCP is connection oriented, it is a more reliable means of transport across the VPN tunnel. Even if the packets are dropped, the server will re-request the missing data packet.
You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps:
Did this fix the problem?
(http://support.microsoft.com/kb/320903/ )Clients cannot log on by using Kerberos over TCP
Article ID: 244474 - Last Review: December 14, 2010 - Revision: 9.0