Microsoft KB Archive/843427

= You experience a long delay when you log on to a domain through a NAT server =

Article ID: 843427

Article Last Modified on 7/6/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows XP Professional
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Server

-



SYMPTOMS
You may notice a delay when you log on to your domain account, and the logon may revert to NTLM authentication. This behavior occurs when the following conditions are true:
 * You try to use Kerberos to log on to your domain account.
 * The only domain controller that is available to service your logon is on the other side of a Network Address Translation (NAT).



CAUSE
This behavior occurs when the NAT does not translate the netlogon packet. When the DsGetDcName function is invoked, the address that the NAT returns in the DOMAIN_CONTROLLER_INFO structure is the real IP address of the domain controller.



RESOLUTION
To resolve this behavior, you must configure the network so that NAT does not deal directly with the netlogon packets.

317509 Windows 2000 NAT Editors



WORKAROUND
To work around this behavior, you must configure a domain controller to be local to the clients so that NAT does not handle the netlogon packet.



STATUS
This behavior is by design.

Additional query words: Win2k win2000 winxp win2003 win2k3

Keywords: kbnat kbkerberos kbnetwork_routerissues kbprb KB843427

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.