Article ID: 906736 - View products that this article applies to.
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/256986/ )Description of the Microsoft Windows registry
When you run a high-volume server program on a domain member that uses Kerberos to authenticate users, you experience a delay in the user-authentication process. Additionally, you notice an increase in the remote procedure call (RPC) traffic between the domain controller that uses the Net Logon RPC interface and the server.
When you enable debug logging for the Net Logon service on the domain member or on the domain controller, the following entry is logged in the in the Netlogon.log:
[LOGON] SamLogon: Generic logon of <domain name>\(null) from (null) Package: Kerberos Entered
This problem occurs because the Kerberos client verifies the Privilege Attribute Certificate (PAC) signature in the Kerberos ticket by using the domain controller. The Kerberos client performs this verification to prevent PAC spoofing. The increased network traffic is generated by the RPC requests that are part of this verification process.
The Kerberos client performs this verification only for untrusted callers. User-mode applications are recognized as untrusted callers.
Service pack informationTo resolve this problem, obtain the latest service pack for Windows Server 2003 and apply the registry change detailed below to disable PAC validation. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100After you obtain the latest service pack for Windows Server 2003, turn off PAC verification for services.
(http://support.microsoft.com/kb/889100/ )How to obtain the latest service pack for Windows Server 2003
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
In Windows Server 2003 SP2, you can turn off PAC verification for services. To do this, add the ValidateKdcPacSignature registry entry to the following registry subkey:
Add the ValidateKdcPacSignature entry as an entry of type DWORD on the servers that are authenticating users in application services. These servers may include domain controllers. When the value of this entry is 0, Kerberos does not perform PAC validation on a process that runs as a service. When the value of this entry is 1, Kerberos performs PAC validation as usual. You have to restart the computer after you modify this registry entry. When this entry is not present, the system behaves as if the entry were present and has a value of 1. The default value in Windows Server 2008 for this entry is 0.
For more information about how to enable debug logging for the Net Logon service, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/109626/ )Enabling debug logging for the Net Logon service
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Microsoft Windows Server 2003 Service Pack 2.
Article ID: 906736 - Last Review: January 12, 2009 - Revision: 9.1