Article ID: 906736
Article Last Modified on 8/28/2007
APPLIES TO
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry
SYMPTOMS
When you run a high-volume server program on a domain member that uses Kerberos to authenticate users, you experience a delay in the user-authentication process. Additionally, you notice an increase in the remote procedure call (RPC) traffic between the domain controller that uses the Net Logon RPC interface and the server.
When you enable debug logging for the Net Logon service on the domain member or on the domain controller, the following entry is logged in the in the Netlogon.log:
[LOGON] SamLogon: Generic logon of <domain name>\(null) from (null) Package: Kerberos Entered
CAUSE
This problem occurs because the Kerberos client verifies the Privilege Attribute Certificate (PAC) signature in the Kerberos ticket by using the domain controller. The Kerberos client performs this verification to prevent PAC spoofing. The increased network traffic is generated by the RPC requests that are part of this verification process.
The Kerberos client performs this verification only for untrusted callers. User-mode applications are recognized as untrusted callers.
RESOLUTION
Service pack information
To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100 How to obtain the latest service pack for Windows Server 2003
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Microsoft Windows Server 2003 Service Pack 2.
MORE INFORMATION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
In Windows Server 2003 SP2, you can turn off PAC verification for services. To do this, add the ValidateKdcPacSignature registry entry to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Add the ValidateKdcPacSignature entry as an entry of type DWORD on the servers that are authenticating users in application services. These servers may include domain controllers. When the value of this entry is 0, Kerberos does not perform PAC validation on a process that runs as a service. When the value of this entry is 1, Kerberos performs PAC validation as usual. You do not have to restart the computer after you modify this registry entry. When this entry is not present, the system behaves as if the entry were present and has a value of 1. The default value in Windows Server 2008 for this entry is 0.
For more information about how to enable debug logging for the Net Logon service, click the following article number to view the article in the Microsoft Knowledge Base:
109626 Enabling debug logging for the Net Logon service
Keywords: kbqfe kbwinserv2003sp2fix kbtshoot kbbug KB906736
