You experience a delay in the user-authentication process when you run a high-volume server program on a domain member in Windows 2000 or Windows Server 2003

Article translations Article translations
Article ID: 906736 - View products that this article applies to.
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry
Expand all | Collapse all

On This Page

SYMPTOMS

When you run a high-volume server program on a domain member that uses Kerberos to authenticate users, you experience a delay in the user-authentication process. Additionally, you notice an increase in the remote procedure call (RPC) traffic between the domain controller that uses the Net Logon RPC interface and the server.

When you enable debug logging for the Net Logon service on the domain member or on the domain controller, the following entry is logged in the in the Netlogon.log:

[LOGON] SamLogon: Generic logon of <domain name>\(null) from (null) Package: Kerberos Entered

CAUSE

This problem occurs because the Kerberos client verifies the Privilege Attribute Certificate (PAC) signature in the Kerberos ticket by using the domain controller. The Kerberos client performs this verification to prevent PAC spoofing. The increased network traffic is generated by the RPC requests that are part of this verification process.

The Kerberos client performs this verification only for untrusted callers. User-mode applications are recognized as untrusted callers.

RESOLUTION

Service pack information

To resolve this problem, obtain the latest service pack for Windows Server 2003 and apply the registry change detailed below to disable PAC validation. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100 How to obtain the latest service pack for Windows Server 2003
After you obtain the latest service pack for Windows Server 2003, turn off PAC verification for services.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

In Windows Server 2003 SP2, you can turn off PAC verification for services. To do this, add the ValidateKdcPacSignature registry entry to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Add the ValidateKdcPacSignature entry as an entry of type DWORD on the servers that are authenticating users in application services. These servers may include domain controllers. When the value of this entry is 0, Kerberos does not perform PAC validation on a process that runs as a service. When the value of this entry is 1, Kerberos performs PAC validation as usual. You have to restart the computer after you modify this registry entry. When this entry is not present, the system behaves as if the entry were present and has a value of 1. The default value in Windows Server 2008 for this entry is 0.

For more information about how to enable debug logging for the Net Logon service, click the following article number to view the article in the Microsoft Knowledge Base:
109626 Enabling debug logging for the Net Logon service

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Microsoft Windows Server 2003 Service Pack 2.

Properties

Article ID: 906736 - Last Review: January 12, 2009 - Revision: 9.1
APPLIES TO
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Keywords: 
kbqfe kbwinserv2003sp2fix kbtshoot kbbug KB906736

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com