Microsoft KB Archive/318364

= Users Cannot Log On to the Domain After Password Changes on a Remote Domain Controller =

Article ID: 318364

Article Last Modified on 2/1/2007

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2

-



This article was previously published under Q318364



SYMPTOMS
After you change a user account password on a remote domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role, the user may not be able to log on to a local domain controller by entering the new password. However, the user may still be able to log on to the domain by using their previous password.



CAUSE
This behavior may occur when the following conditions are true:
 * The remote domain controller has not yet replicated with the local domain controller.
 * Kerberos is configured to use User Datagram Protocol (UDP) protocol (the default configuration).
 * The user's security token is too large to fit in a UDP Kerberos message.

NOTE: The user's security token may be large if that user is a member of many groups.

This problem is caused by the anti-replay feature of Kerberos authentication on the local domain controller. The following steps illustrate this behavior:
 * 1) The user account password is changed on the remote domain controller, but that change has not yet been replicated to the local domain controller.
 * 2) The user tries to log on to the domain by using the new password. The Kerberos Authentication Service Exchange message (KRB_AS_REQ) is sent to the local domain controller by using UDP.
 * 3) The local domain controller fails the authentication because it does not yet have the new password information.
 * 4) The local domain controller forwards the request to the remote PDC (KDCSVC!FailedLogon).
 * 5) In the FailedLogon function, an entry for the request is entered into the replay-detection table, and the KRB_AS_REQ message is sent to the remote PDC.
 * 6) The remote PDC successfully authenticates the request, and then returns a positive reply to the local domain controller.
 * 7) The local domain controller detects that the reply is too large for a UDP packet, and therefore sends a request to the client computer to resend the request by using Transmission Control Protocol (TCP).
 * 8) The client computer resubmits the authentication request by using TCP.
 * 9) The local domain controller fails the authentication because it does not yet have the new password information (as in step 3).
 * 10) The local domain controller forwards the request to the remote PDC domain controller (KDCSVC!FailedLogon) (as in step 4).
 * 11) The replay detection check in the FailedLogon function returns a KRB_AP_ERR_REPEAT message because an entry for this request is already present in the replay detection table. This is the entry that was created in step 5.

The authentication attempt fails.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

  Date         Time   Version           Size     File name ---  22-Mar-2002  23:55  5.0.2195.4959     123,664  Adsldp.dll 30-Jan-2002 00:52  5.0.2195.4851     130,832  Adsldpc.dll 30-Jan-2002 00:52  5.0.2195.4016      62,736  Adsmsext.dll 22-Mar-2002 23:55  5.0.2195.5201     356,624  Advapi32.dll 22-Mar-2002 23:55  5.0.2195.4985     135,952  Dnsapi.dll 22-Mar-2002 23:55  5.0.2195.4985      95,504  Dnsrslvr.dll 22-Mar-2002 23:56  5.0.2195.5013     521,488  Instlsa5.dll 22-Mar-2002 23:55  5.0.2195.5246     145,680  Kdcsvc.dll 22-Mar-2002 23:50  5.0.2195.5246     199,952  Kerberos.dll 07-Feb-2002 19:35  5.0.2195.4914      71,024  Ksecdd.sys 02-Mar-2002 21:32  5.0.2195.5013     503,568  Lsasrv.dll 02-Mar-2002 21:32  5.0.2195.5013      33,552  Lsass.exe 08-Dec-2001 00:05  5.0.2195.4745     107,280  Msv1_0.dll 22-Mar-2002 23:55  5.0.2195.4917     306,960  Netapi32.dll 22-Mar-2002 23:55  5.0.2195.4979     360,208  Netlogon.dll 22-Mar-2002 23:55  5.0.2195.5221     917,264  Ntdsa.dll 22-Mar-2002 23:55  5.0.2195.5201     386,832  Samsrv.dll 30-Jan-2002 00:52  5.0.2195.4874     128,784  Scecli.dll 22-Mar-2002 23:55  5.0.2195.4968     299,792  Scesrv.dll 30-Jan-2002 00:52  5.0.2195.4600      48,400  W32time.dll 06-Nov-2001 19:43  5.0.2195.4600      56,592  W32tm.exe 22-Mar-2002 23:55  5.0.2195.5011     125,712  Wldap32.dll



WORKAROUND
To work around this issue, perform user account password changes on the local domain controller or force Kerberos to use TCP instead of UDP.

For additional information about how to configure Kerberos to use TCP, click the article number below to view the article in the Microsoft Knowledge Base:

244474 Forcing Kerberos to Use TCP Rather Than UDP in Windows 2000



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.



MORE INFORMATION
The Kerberos anti-replay feature prevents the same packet from being received two times by the authenticating server. A replay attack is an attack in which a valid data transmission is maliciously or fraudulently repeated, either by the originator or by an adversary who intercepts the data and retransmits it. An attacker may attempt to &quot;replay&quot; a valid user's user name and password in an attempt to authenticate by using that user's credentials.

Additional query words:

Keywords: kbbug kbfix kbwin2000presp3fix kbqfe kbwin2000sp3fix kbsecurity kbhotfixserver KB318364

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.