Microsoft KB Archive/306131

= Kerberos Negative Caching Causes Logon to Not Be Retried on PDC =

Article ID: 306131

Article Last Modified on 2/20/2007

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2

-



This article was previously published under Q306131



SYMPTOMS
When a DC that is not the PDC fails an authentication with STATUS_WRONG_PASSWORD, STATUS_PASSWORD_EXPIRED, STATUS_PASSWORD_MUST_CHANGE or STATUS_ACCOUNT_LOCKED_OUT (collectively referred to later as BAD_PASSWORD_STATUS), the logon is retried at the PDC. In Windows 2000 Service Pack 2 (SP2), the Kerberos authentication package implements a negative-caching mechanism that would stop the forwarding of requests to the PDC if any of the preceding BAD_PASSWORD_STATUS statuses were returned after 1 logon request for a period of 5 minutes. This was implemented to help reduce the number of logon requests handled on the PDC.



CAUSE
When a DC receives an authentication attempt that results in a BAD_PASSWORD_STATUS status, a cache entry is made for the requestor. If Account Lockout is enabled, the cache entry is not created until the PDC returns STATUS_ACCOUNT_LOCKED_OUT. When a subsequent authentication attempt for that user name occurs that results in BAD_PASSWORD_STATUS, the DC forwards up to 10 logon requests, and once these are exceeded, the BDC will not forward requests to the PDC for 10 minutes. After 10 minutes, it an authentication at the BDC generates BAD_PASSWORD_STATUS, the request is retried again on the PDC. If the PDC returns BAD_PASSWORD_STATUS, no more logon requests are attempted for another 10 minutes on the PDC.

To determine how many times a failed logon will be retried at the PDC with account lockout, add 10 to the account lockout threshold. Note that if the AvoidPDCOnWan setting is enabled. the logon will not be retried on the PDC.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. Date        Time   Version        Size     File name

08-Oct-2001 14:28  5.0.2195.4472  123,664  Adsldp.dll 08-Oct-2001 14:28  5.0.2195.4308  130,832  Adsldpc.dll 08-Oct-2001 14:28  5.0.2195.4016   62,736  Adsmsext.dll 08-Oct-2001 14:28  5.0.2195.4384  364,816  Advapi32.dll 08-Oct-2001 14:28  5.0.2195.4141  133,904  Dnsapi.dll 08-Oct-2001 14:28  5.0.2195.4379   91,408  Dnsrslvr.dll 08-Oct-2001 14:29  5.0.2195.4411  529,168  Instlsa5.dll 08-Oct-2001 14:28  5.0.2195.4437  145,680  Kdcsvc.dll 04-Oct-2001 17:00  5.0.2195.4471  199,440  Kerberos.dll 04-Sep-2001 05:32  5.0.2195.4276   71,024  Ksecdd.sys 27-Sep-2001 11:58  5.0.2195.4411  511,248  Lsasrv.dll 06-Sep-2001 14:31  5.0.2195.4301   33,552  Lsass.exe 27-Sep-2001 11:59  5.0.2195.4285  114,448  Msv1_0.dll 08-Oct-2001 14:28  5.0.2195.4153  312,080  Netapi32.dll 08-Oct-2001 14:28  5.0.2195.4357  370,448  Netlogon.dll 08-Oct-2001 14:28  5.0.2195.4464  912,656  Ntdsa.dll 08-Oct-2001 14:28  5.0.2195.4433  387,856  Samsrv.dll 08-Oct-2001 14:28  5.0.2195.4117  111,376  Scecli.dll 08-Oct-2001 14:28  5.0.2195.4476  299,792  Scesrv.dll 08-Oct-2001 14:28  5.0.2195.4025   50,960  W32time.dll 01-Aug-2001 17:44  5.0.2195.4025   56,592  W32tm.exe 08-Oct-2001 14:28  5.0.2195.4433  125,712  Wldap32.dll



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.



MORE INFORMATION
For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product

For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:

296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Additional query words:

Keywords: kbbug kbfix kbwin2000presp3fix kbqfe kbwin2000sp3fix kbenv kbsecurity kbhotfixserver KB306131

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.