Windows Server: Client-side unlock slow fault resolution

Failure phenomenon:

Client administrators set up "Interactive logon: Require Domain Controller authentication for unlocking" in Group Policy to secure client resource access. The client is accustomed to lock the screen when leaving the seat, normally enter the password can quickly restore the desktop, but the individual needs to wait 30-60 seconds or so to pass the verification, affect the office efficiency.

Environment Description:

Most of the client is XP system, a small number of Win7;ad parent-child domain structure, subdomain responsible for client login verification, domain control 2003 and 2008 system mix, belong to different sites, the client default to use 2003 domain control authentication.

Workaround: Create and set the following registry key values on the client:

Path:hkey_local_machine\system\currentcontrolset\control\lsa\ Kerberos\Parameters

Name:maxpacketsize

Type:reg_dword

Value:1

Reason Analysis:

After 2003, AD uses the Kerberos protocol for authentication, which is divided into TCP and UDP two. Under the RFC 1510 specification, XP clients first send packets via UDP to 88 ports on the domain-controlled KDC. And now RFC4120 is replacing 1510, specifying that KDC must accept TCP requests, and by default, Vista and 2008 will use TCP directly after

By default, 2003 uses the UDP packet maximum size of 1465 bytes, and for XP is 2000 bytes, TCP is used to exceed this maximum value, you can change the UDP packet maximum by modifying the registry. When an XP client submits a validation packet to a 2003 domain control, first use UDP, packet size varies according to user account, where the larger impact is SID History and group memberships (most of the failed user accounts are often used for group testing, that is, repeatedly adding deletes from different groups, This is the reason that this is a huge historical record of SID. When the maximum value, the system will packet packet packets sent, due to UDP inherently unreliable, the end of the destination is unordered and no integrity test feedback, the final result is lost packet. All this client is not known, can only wait, after a certain time resend UDP and subsequent use of TCP to successfully verify.

The maxpacketsize=1 in the registry can force clients to send Kerberos packets using TCP and will not drop packets because of connection-oriented (note that Vista and the default maxpacketsize=0 after 2008, but in fact have forced TCP use), This explains why xp/win7/server2003/2008 different combinations will have different landing results.

This article from the "Ghost Emperor" blog, please be sure to retain this source http://ghostlan.blog.51cto.com/5413429/1300000

More Wonderful content: http://www.bianceng.cnhttp://www.bianceng.cn/OS/server/