When you enable debug logging for the Net Logon service on the domain member or on the domain controller, the following entry is logged in the in the Netlogon.log:
The Kerberos client performs this verification only for untrusted callers. User-mode applications are recognized as untrusted callers.
Service pack informationTo resolve this problem, obtain the latest service pack for Windows Server 2003 and apply the registry change detailed below to disable PAC validation. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
In Windows Server 2003 SP2, you can turn off PAC verification for services. To do this, add the ValidateKdcPacSignature registry entry to the following registry subkey:
For more information about how to enable debug logging for the Net Logon service, click the following article number to view the article in the Microsoft Knowledge Base:
Article ID: 906736 - Last Review: Jul 13, 2009 - Revision: 1