Logon problems over VPN
When I set up a VPN connection using two Linksys BEFSX41 routers, and attempted a domain logon across the VPN, I received inconsistent results. Logon times were slow (over 10 minutes), the logon script would not run, and other odd errors. The logon was perfect with some accounts (most likely using a cached copy). But these slow logon times were horrible. After the logon timed out, I could still ping the other end of the VPN, and the computers on the other subnet. Name resolution worked fine, and from the other end of the VPN (the side where the domain controller resides), logon times were perfect. I could also access all the computers giving me problems from the other side of the VPN.
After searching for a resolution, and finding this as an issue for many others, no solid solutions were suggested. Some workaround solutions included creating a local user account with the same credentials. I couldn't use that as a solution, so I kept looking. I finally found a post in the Microsoft knowledge base related to the use of UDP in Kerberos logons creating slow logon times due to UDP being a non-guaranteed delivery protocol. If only Kerberos used TCP! Well, Microsoft was also kind enough to provide a solution allowing a computer to use TCP instead of UDP for Kerberos authentication to the domain.
The text of the article includes the following:
--------------------------------------------
By default, the maximum size of datagram packets for which Windows Server 2003 uses UDP is 1,465 bytes. For Windows XP and for Windows 2000, this maximum is 2,000 bytes. Transmission Control Protocol (TCP) is used for any datagram packet that is larger than this maximum. The maximum size of datagram packets for which UDP is used can be changed by modifying a registry key and value.
By default, Kerberos uses connectionless UDP datagram packets. Depending on a variety of factors including security identifier (SID) history and group membership, some accounts will have larger Kerberos authentication packet sizes. Depending on the virtual private network (VPN) hardware configuration, these larger packets have to be fragmented when going through a VPN. The problem is caused by fragmentation of these large UDP Kerberos packets. Because UDP is a connectionless protocol, fragmented UDP packets will be dropped if they arrive at the destination out of order.
If you change MaxPacketSize to a value of 1, you force the client to use TCP to send Kerberos traffic through the VPN tunnel. Because TCP is connection oriented, it is a more reliable means of transport across the VPN tunnel. Even if the packets are dropped, the server will re-request the missing data packet.
You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps: 1. Start Registry Editor.2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Note If the Parameters key does not exist, create it now.3. On the Edit menu, point to New, and then click DWORD Value.4. Type MaxPacketSize, and then press ENTER.5. Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.6. Quit Registry Editor.7. Restart your computer.
--------------------------------------------
It even provides a template for using a Group Policy to apply these settings:
--------------------------------------------
CLASS MACHINE
CATEGORY !!KRB_PARAMS
KEYNAME "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"
POLICY !!SET_MAXPACKETSIZE
EXPLAIN !!MAXPACKETSIZE_HELP
PART !!MAXPACKETSIZE NUMERIC REQUIRED
VALUENAME "MaxPacketSize"
MIN 1 MAX 2000 DEFAULT 2000
END PART
PART !!MAXPACKETSIZE_TIP TEXT
END PART
END POLICY
POLICY !!LOGLEVEL
EXPLAIN !!LOGLEVEL_HELP
VALUENAME "LogLevel"
END POLICY
END CATEGORY
[strings]
KRB_PARAMS="Kerberos Parameters"
SET_MAXPACKETSIZE="Set MaxPacketSize"
MAXPACKETSIZE_HELP="The Windows 2000 Kerberos Authentication package is the default in Windows 2000. It coexists with challenge/response (NTLM) and is used in instances in which both a client and server can negotiate Kerberos. Request for Comments (RFC) 1510 states that when a client contacts the Key Distribution Center (KDC), it should send a User Datagram Protocol (UDP) datagram to port 88 at the KDC's IP address. The KDC should respond with a reply datagram to the sending port at thesender's IP address.\n\nWindows 2000, by default, uses UDP when the datacan be fit in packets under 2,000 bytes. Any data above this value usesTCP to carry the packets. The value of 2,000 bytes is configurable via this policy."
MAXPACKETSIZE="Bytes: "
MAXPACKETSIZE_TIP="Range is from 1 to 2000. Use 1 to force Kerberos to use TCP."
LOGLEVEL="Kerberos Event Logging"
LOGLEVEL_HELP="Windows 2000offers the capability of tracing detailed Kerberos events through the event log mechanism. You can use this information when you troubleshoot Kerberos. All Kerberos errors are logged to the System log."
--------------------------------------------
After making these changes, the logon time over the 384kbs VPN to the domain is less than 30 seconds (a great improvement over the 10 minutes or longer). The bandwidth consistently peaks throughout the logon process as expected, and the users are happier. If you are having slow logon issues over a VPN to a windows domain, I suggest giving this a try. The results are immediate, and are easier to reverse than other suggestions I've read.
After searching for a resolution, and finding this as an issue for many others, no solid solutions were suggested. Some workaround solutions included creating a local user account with the same credentials. I couldn't use that as a solution, so I kept looking. I finally found a post in the Microsoft knowledge base related to the use of UDP in Kerberos logons creating slow logon times due to UDP being a non-guaranteed delivery protocol. If only Kerberos used TCP! Well, Microsoft was also kind enough to provide a solution allowing a computer to use TCP instead of UDP for Kerberos authentication to the domain.
The text of the article includes the following:
--------------------------------------------
By default, the maximum size of datagram packets for which Windows Server 2003 uses UDP is 1,465 bytes. For Windows XP and for Windows 2000, this maximum is 2,000 bytes. Transmission Control Protocol (TCP) is used for any datagram packet that is larger than this maximum. The maximum size of datagram packets for which UDP is used can be changed by modifying a registry key and value.
By default, Kerberos uses connectionless UDP datagram packets. Depending on a variety of factors including security identifier (SID) history and group membership, some accounts will have larger Kerberos authentication packet sizes. Depending on the virtual private network (VPN) hardware configuration, these larger packets have to be fragmented when going through a VPN. The problem is caused by fragmentation of these large UDP Kerberos packets. Because UDP is a connectionless protocol, fragmented UDP packets will be dropped if they arrive at the destination out of order.
If you change MaxPacketSize to a value of 1, you force the client to use TCP to send Kerberos traffic through the VPN tunnel. Because TCP is connection oriented, it is a more reliable means of transport across the VPN tunnel. Even if the packets are dropped, the server will re-request the missing data packet.
You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps: 1. Start Registry Editor.2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Note If the Parameters key does not exist, create it now.3. On the Edit menu, point to New, and then click DWORD Value.4. Type MaxPacketSize, and then press ENTER.5. Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.6. Quit Registry Editor.7. Restart your computer.
--------------------------------------------
It even provides a template for using a Group Policy to apply these settings:
--------------------------------------------
CLASS MACHINE
CATEGORY !!KRB_PARAMS
KEYNAME "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"
POLICY !!SET_MAXPACKETSIZE
EXPLAIN !!MAXPACKETSIZE_HELP
PART !!MAXPACKETSIZE NUMERIC REQUIRED
VALUENAME "MaxPacketSize"
MIN 1 MAX 2000 DEFAULT 2000
END PART
PART !!MAXPACKETSIZE_TIP TEXT
END PART
END POLICY
POLICY !!LOGLEVEL
EXPLAIN !!LOGLEVEL_HELP
VALUENAME "LogLevel"
END POLICY
END CATEGORY
[strings]
KRB_PARAMS="Kerberos Parameters"
SET_MAXPACKETSIZE="Set MaxPacketSize"
MAXPACKETSIZE_HELP="The Windows 2000 Kerberos Authentication package is the default in Windows 2000. It coexists with challenge/response (NTLM) and is used in instances in which both a client and server can negotiate Kerberos. Request for Comments (RFC) 1510 states that when a client contacts the Key Distribution Center (KDC), it should send a User Datagram Protocol (UDP) datagram to port 88 at the KDC's IP address. The KDC should respond with a reply datagram to the sending port at thesender's IP address.\n\nWindows 2000, by default, uses UDP when the datacan be fit in packets under 2,000 bytes. Any data above this value usesTCP to carry the packets. The value of 2,000 bytes is configurable via this policy."
MAXPACKETSIZE="Bytes: "
MAXPACKETSIZE_TIP="Range is from 1 to 2000. Use 1 to force Kerberos to use TCP."
LOGLEVEL="Kerberos Event Logging"
LOGLEVEL_HELP="Windows 2000offers the capability of tracing detailed Kerberos events through the event log mechanism. You can use this information when you troubleshoot Kerberos. All Kerberos errors are logged to the System log."
--------------------------------------------
After making these changes, the logon time over the 384kbs VPN to the domain is less than 30 seconds (a great improvement over the 10 minutes or longer). The bandwidth consistently peaks throughout the logon process as expected, and the users are happier. If you are having slow logon issues over a VPN to a windows domain, I suggest giving this a try. The results are immediate, and are easier to reverse than other suggestions I've read.
0 Comments:
Post a Comment
<< Home