How to force Kerberos to use TCP instead of UDP in Windows
|Note||RFC 4120 now obsoletes RFC 1510. RFC 4120 specifies that a KDC must accept TCP requests and should listen for such requests on port 88 (decimal). By default, Windows Server 2008 and Windows Vista will try TCP first for Kerberos because the MaxPacketSize default is now 0. You can still use the MaxPacketSize registry value to override that behavior.|
A limitation on the UDP packet size may cause the following error message at domain logon:
No Windows NT or Windows 2000 Domain Controller is available for domain Domain. The following error occurred:
There are currently no logon servers available to service the logon request.
Fix it for meTo fix this problem automatically, click the Fix it button or link. Click Run in the File Download dialog box, and follow the steps in the Fix it wizard.
- This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.
- If you are not using the computer that has the problem, save the Fix it solution to a flash drive or a CD and then run it on the computer that has the problem.
Then, go to the "Did this fix the problem?" section.
Let me fix it myselfImportant This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
Important If you use UDP for Kerberos, your client computer may stop responding (hang) when you receive the following message:
By default, Kerberos uses connectionless UDP datagram packets. Depending on a variety of factors including security identifier (SID) history and group membership, some accounts will have larger Kerberos authentication packet sizes. Depending on the virtual private network (VPN) hardware configuration, these larger packets have to be fragmented when going through a VPN. The problem is caused by fragmentation of these large UDP Kerberos packets. Because UDP is a connectionless protocol, fragmented UDP packets will be dropped if they arrive at the destination out of order.
If you change MaxPacketSize to a value of 1, you force the client to use TCP to send Kerberos traffic through the VPN tunnel. Because TCP is connection oriented, it is a more reliable means of transport across the VPN tunnel. Even if the packets are dropped, the server will re-request the missing data packet.
You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps:
- Start Registry Editor.
- Locate and then click the following registry subkey:Note If the Parameters key does not exist, create it now.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
- On the Edit menu, point to New, and then click DWORD Value.
- Type MaxPacketSize, and then press ENTER.
- Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
- Quit Registry Editor.
- Restart your computer.
This is the solution approach for Microsoft Windows 2000, XP and Server 2003. Windows Vista and newer use a default of "0" for MaxPacketSize which also turns off the use of UDP for the Kerberos Client.
Did this fix the problem?
- Check whether the problem is fixed. If the problem is fixed, you are finished with this section. If the problem is not fixed, you can contact support.
- We would appreciate your feedback. To provide feedback or to report any issues with this solution, please leave a comment on the "Fix it for me" blog or send us an email.
Article ID: 244474 - Last Review: 12/14/2010 06:19:00 - Revision: 9.0
- kbenv kbinfo kbfixme kbmsifixme KB244474