Microsoft KB Archive/317896

= A Kerberos Client Always Sends Client Addresses in Windows 2000 =

Article ID: 317896

Article Last Modified on 10/27/2006

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 3
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 3

-



This article was previously published under Q317896





For a Microsoft Windows XP version of this article, see 318071.



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
The Windows 2000 Kerberos client always asks for the client addresses to be added to the Ticket Granting Ticket (TGT) in the Authentication Service (AS) request.

You may not want this behavior to be used because the tickets are larger on the network. By default, Windows 2000 includes the addresses if it is a member of an Active Directory-based domain. Windows 2000 does not include the addresses if it is configured for a third-party realm.

Including the addresses in the ticket request and having the Key Distribution Centers (KDC) check them can cause problems if the client changes its IP address during the lifetime of the ticket, or if the client communicates with the KDC by using a Network Address Translation (NAT) service.

Note that a Windows 2000-based KDC does not check these addresses.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to obtain the latest Windows 2000 service pack

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You can enable the sending of the addresses after you install Service Pack 3 (SP3) by making this registry change:  Start Registry Editor (Regedt32.exe). Locate and click the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

 On the Edit menu, click Add Value, and then add the following registry value:

Value name: ClientIpAddresses

Data type: REG_DWORD

Radix: Hexadecimal

Value data: 1

 Quit Registry Editor.

NOTE: The value for ClientIpAddresses is 0 if it is not set, so the addresses are not sent if SP3 is installed. For computers that are members of Windows 2000-based domains, you do not have to set the registry key.

For third-party realms that requires the client addresses, you can selectively enable the addresses by making this registry change:  Start Registry Editor (Regedt32.exe).</li> Locate and click the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains\ 

</li> On the Edit menu, click Add Value, and then add the following registry value:

Value name: RealmFlags

Data type: REG_DWORD

Radix: Hexadecimal

Value data: 1

</li> Quit Registry Editor.</li></ol>

You must restart the computer for these registry changes to become active.

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section. This problem was first corrected in Windows 2000 Service Pack 3.

Additional query words:

Keywords: kbbug kbfix kbwin2000presp3fix kbwin2000sp3fix kbsecurity KB317896

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.