A user called in with an interesting issue. She said; "When I attempt to access resources across a VPN connection with an Windows XP client it fails". She was connecting to a Small Business Server 2003 server......hmmmmm. She said it had been working before, but as far as she knew nothing had changed on either the server or the client.
Started with the server:
Ran Dcdiag - there weren't any errors, however Netdiag returned the following 2 errors:
DC list test . . . . . . . . . . . : Failed [WARNING] Cannot call DsBind to COMPUTERNAMEDC.domain.com (123.456.789.00). [ERROR_DOMAIN_CONTROLLER_NOT_FOUND]
Kerberos test. . . . . . . . . . . : Failed [FATAL] Kerberos does not have a ticket for MEMBERSERVER$.]
So is it a binding issue, a Kerberos issue or what?
This is how authentication is supposed to work between SBS2003 and Windows XP clients that like each other.
Per article 244474, "Kerberos authentication is the default authentication package used in Windows Server 2003 and Windows XP".....ok.
"(RFC) 1510 states that the client should send a User Datagram Protocol (UDP) datagram to port 88 at the IP address of the Key Distribution Center (KDC) when a client contacts the KDC. The KDC should respond with a reply datagram to the sending port at the sender's IP address. The RFC also states that UDP must be the first protocol that is tried.". Really....
UDP? Doesn't UDP have a tendancy to fragment? Could it be a fragmentation issue?
What if I don't want to use UDP. What are my protocol options?
If not to UDP....then you must TCP.
Lets change protocols and see what happens.
In order to force Kerberos to use TCP you change MaxPacketSize to 1.
To do this, follow these steps:
|Start Registry Editor. |
|Locate and then click the following registry subkey: |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters Note If the Parameters key does not exist, create it now.
|On the Edit menu, point to New, and then click DWORD Value. |
|Type MaxPacketSize , and then press ENTER. |
|Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK. |
|Quit Registry Editor. |
|Restart your computer. |
So did it work? Absolutely!
So why did this happen anyway?
Per 24474, "By default, Kerberos uses connectionless UDP datagram packets. Depending on a variety of factors including security identifier (SID) history and group membership, some accounts will have larger Kerberos authentication packet sizes. Depending on the virtual private network (VPN) hardware configuration, these larger packets have to be fragmented when going through a VPN. The problem is caused by fragmentation of these large UDP Kerberos packets. Because UDP is a connectionless protocol, fragmented UDP packets will be dropped if they arrive at the destination out of order.
If you change MaxPacketSize to a value of 1, you force the client to use TCP to send Kerberos traffic through the VPN tunnel. Because TCP is connection oriented, it is a more reliable means of transport across the VPN tunnel. Even if the packets are dropped, the server will re-request the missing data packet."