Wednesday, September 30, 2009

Event ID: 10 (And how to force Kerberos to use TCP instead of UDP)

I've only ever seen this on computers or servers that are trying to authenticate over slow/high latency VPN tunnels at remote offices. Usually the machine will log event ID 10:

"The kerberos subsystem is having problems fetching tickets from your domain controller using the UDP network protocol. This is typically due to network problems. Please contact your system administrator."

This event will usually be logged along with numerous other problems such as LSA events, problems logging into machines, and issues with Outlook (if connected to an exchange server over a VPN tunnel).

The solution is to force the machine to use TCP instead of UDP for Kerberos. The UDP Kerberos packets are being fragmented, and will be dropped if they arrive out of order, thus usually appearing when a high latency VPN tunnel is involved.

Open the registry editor and navigate to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters

If Parameters doesn't exist, create it. Next, add a DWORD called MaxPacketSize and set a decimal value of 1. Restart the machine.

More info about this can be found here: http://support.microsoft.com/kb/244474

No comments: