LDAP and Kerberos Server May Reset TCP Sessions Immediately After Creation


Symptoms


You are running the Windows Server roles Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS). Sporadically, you experience that TCP sessions created to the server ports 88, 389 and 3268 are reset. Sessions using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) on ports 636 and 3269 are also affected.

In a trace of the network traffic, you see the frame with the TCP RESET (or RST) is sent by the server almost immediately after the session is established using the TCP three-way handshake. The client might be able to send some request data before the RESET is sent, but this request is not responded to nor is the data acknowledged.

Cause


There are two problems that might occur:

1. Incorrect idle session monitoring:

The library that manages the TCP sessions for the LDAP Server and the Kerberos Key Distribution Center (KDC) uses a scavenging thread to monitor for sessions that are inactive, and disconnects these sessions if they are idle too long. The scavenging thread runs every 30 seconds to clean out these sessions.

The KDC registry entry NewConnectionTimeout controls the idle time, using a default of 10 seconds. However, based on the implementation of the scavenging, the effective interval is 0-30 seconds. Therefore newly created sessions may be disconnected immediately by the server sporadically.

2. Incorrect client port protection:

The KDC also has a built-in protection against request loops, and blocks client ports 88 and 464. However, the implementation has a bug in the byte ordering, so ports 22528 and 53249 are effectively blocked. Depending on the operating system version of the client and the allowed ephemeral TCP ports, you may or may not encounter this issue.

Resolution


For the KDC ports, many clients, including the Windows Kerberos client, will perform a retry and then get a full timer tick to work on the session. LDAP applications have a higher chance of considering the connection reset a fatal failure.

If you want to avoid the resets on ports 22528 and 53249, you have to exclude them from the ephemeral ports range (e.g. on Windows XP using MaxUserPort). For Windows Vista and newer, please see:

929851 The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008

When you set NewConnectionTimeout to 40 or higher, you receive a time-out window of 30-90 seconds. When you use 70 or higher, you receive 60-120 seconds for the time-out. For more information about the NewConnectionTimeout registry value, click the following article number to view the article in the Microsoft Knowledge Base:

837361 Kerberos protocol registry entries and KDC configuration keys in Windows Server 2003