Select the product you need help with
You experience a delay in the user-authentication process when you run a high-volume server program on a domain member in Windows 2000 or Windows Server 2003Article ID: 906736 - View products that this article applies to. Important This article contains information about how to modify the
registry. Make sure that you back up the registry before you modify it. Make
sure that you know how to restore the registry if a problem occurs. For more
information about how to back up, restore, and modify the registry, click the
following article number to view the article in the Microsoft Knowledge Base: 256986
(http://support.microsoft.com/kb/256986/
)
Description of the Microsoft Windows registryOn This PageSYMPTOMSWhen you run a high-volume server program on a domain member
that uses Kerberos to authenticate users, you experience a delay in the
user-authentication process. Additionally, you notice an increase in the remote
procedure call (RPC) traffic between the domain controller that uses the Net
Logon RPC interface and the server. When you enable debug logging for the Net Logon service on the domain member or on the domain controller, the following entry is logged in the in the Netlogon.log: [LOGON] SamLogon: Generic logon of <domain name>\(null) from (null) Package: Kerberos Entered CAUSEThis problem occurs because the Kerberos client verifies the
Privilege Attribute Certificate (PAC) signature in the Kerberos ticket by using
the domain controller. The Kerberos client performs this verification to
prevent PAC spoofing. The increased network traffic is generated by the RPC
requests that are part of this verification process. The Kerberos client performs this verification only for untrusted callers. User-mode applications are recognized as untrusted callers. RESOLUTIONService pack informationTo resolve this problem, obtain the latest service pack for Windows Server 2003 and apply the registry change detailed below to disable PAC validation. For more information, click the following article number to view the article in the Microsoft Knowledge Base:889100 After
you obtain the latest service pack for Windows Server 2003, turn off PAC
verification for services.
(http://support.microsoft.com/kb/889100/
)
How to obtain the latest service pack for Windows Server
2003
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. In Windows Server 2003 SP2, you can turn off PAC verification for services. To do this, add the ValidateKdcPacSignature registry entry to the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters For more information about how to enable debug logging for the Net Logon service, click the following article number to view the article in the Microsoft Knowledge Base: 109626
(http://support.microsoft.com/kb/109626/
)
Enabling debug logging for the Net
Logon service
STATUSMicrosoft
has confirmed that this is a problem in the Microsoft products that are listed
in the "Applies to" section. This problem was
first corrected in Microsoft Windows Server 2003 Service Pack
2. PropertiesArticle ID: 906736 - Last Review: January 12, 2009 - Revision: 9.1 APPLIES TO
|
Back to the top
