Symptoms
Consider the following scenario:
-
You have two computers that are running Windows Server 2008 or Windows Vista. One computer sends a Kerberos authentication message to the other computer.
-
The Kerberos authentication uses the Advanced Encryption Standard (AES) algorithm to encrypt and decrypt the authentication data.
In this scenario, the Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f, and you receive an error message. However, the error message that you receive may vary for different applications. For example, if you try to connect to SQL Server 2005 or SQL Server 2008 Analysis Services by using Excel, you receive one of the following error messages:
Message 1The Function requested is not supported
Message 2
The message or signature supplied for verification has been altered
Cause
The SpSealMessage function and the SpUnsealMessage function do not encrypt and decrypt authentication messages correctly when the message size is not divisible by the expected block size.
Resolution
Hotfix information
Important When you click the "View and request hotfix downloads" link, Windows Vista will be the only product that is displayed. However, the fix for Windows Vista applies to both Windows Vista and Windows Server 2008.
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix. If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix. Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site:http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language. Important Windows Vista and Windows Server 2008 hotfixes are included in the same packages. However, only one of these products may be listed on the “Hotfix Request” page. To request the hotfix package that applies to both Windows Vista and Windows Server 2008, just select the product that is listed on the page.
Prerequisites
To apply this hotfix, your computer must be running one of the following operating systems:
-
Windows Vista Service Pack 1 (SP1)
-
Windows Vista Service Pack 2 (SP2)
-
Windows Server 2008
-
Windows Server 2008 Service Pack 2 (SP2)
Restart requirement
You must restart the computer after you apply this hotfix.
Scope of fix installation
The fix has to be installed on both the client-side and server-side of the connection. If many clients are affected, it may make sense to roll out the fix to all Windows Vista and Server 2008 systems in the Enterprise.
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
For all supported x86-based versions of Windows Vista and of Windows Server 2008
File name |
File version |
File size |
Date |
Time |
Platform |
---|---|---|---|---|---|
Kerberos.dll |
6.0.6001.22435 |
500,736 |
18-May-2009 |
13:49 |
x86 |
Kerberos.dll |
6.0.6002.22138 |
500,736 |
18-May-2009 |
13:44 |
x86 |
For all supported x64-based versions of Windows Vista and of Windows Server 2008
File name |
File version |
File size |
Date |
Time |
Platform |
SP requirement |
Service branch |
---|---|---|---|---|---|---|---|
Kerberos.dll |
6.0.6001.22435 |
657,920 |
18-May-2009 |
14:04 |
x64 |
SP1 |
Not Applicable |
Kerberos.dll |
6.0.6001.22435 |
500,736 |
18-May-2009 |
13:49 |
x86 |
SP1 |
WOW |
Kerberos.dll |
6.0.6002.22138 |
657,920 |
18-May-2009 |
13:45 |
x64 |
SP2 |
Not Applicable |
Kerberos.dll |
6.0.6002.22138 |
500,736 |
18-May-2009 |
13:44 |
x86 |
SP2 |
WOW |
Workaround
To work around the issue, use the NTLM authentication instead of the Kerberos authentication.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More Information
For more information about the SpSealMessage function, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/aa380181(VS.85).aspxFor more information about the SpUnsealMessage function, visit the following Microsoft Web site:
http://msdn.microsoft.com/en-us/library/aa380184(VS.85).aspxFor more information, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates