Kerberos Negative Caching Causes Logon to Not Be Retried on PDC (306131)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Professional SP1
  • Microsoft Windows 2000 Professional SP2
This article was previously published under Q306131

SYMPTOMS

When a DC that is not the PDC fails an authentication with STATUS_WRONG_PASSWORD, STATUS_PASSWORD_EXPIRED, STATUS_PASSWORD_MUST_CHANGE or STATUS_ACCOUNT_LOCKED_OUT (collectively referred to later as BAD_PASSWORD_STATUS), the logon is retried at the PDC. In Windows 2000 Service Pack 2 (SP2), the Kerberos authentication package implements a negative-caching mechanism that would stop the forwarding of requests to the PDC if any of the preceding BAD_PASSWORD_STATUS statuses were returned after 1 logon request for a period of 5 minutes. This was implemented to help reduce the number of logon requests handled on the PDC.

CAUSE

When a DC receives an authentication attempt that results in a BAD_PASSWORD_STATUS status, a cache entry is made for the requestor. If Account Lockout is enabled, the cache entry is not created until the PDC returns STATUS_ACCOUNT_LOCKED_OUT. When a subsequent authentication attempt for that user name occurs that results in BAD_PASSWORD_STATUS, the DC forwards up to 10 logon requests, and once these are exceeded, the BDC will not forward requests to the PDC for 10 minutes. After 10 minutes, it an authentication at the BDC generates BAD_PASSWORD_STATUS, the request is retried again on the PDC. If the PDC returns BAD_PASSWORD_STATUS, no more logon requests are attempted for another 10 minutes on the PDC.

To determine how many times a failed logon will be retried at the PDC with account lockout, add 10 to the account lockout threshold. Note that if the AvoidPDCOnWan setting is enabled. the logon will not be retried on the PDC.

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
Date         Time   Version        Size     File name 
--------------------------------------------------------
08-Oct-2001  14:28  5.0.2195.4472  123,664  Adsldp.dll  
08-Oct-2001  14:28  5.0.2195.4308  130,832  Adsldpc.dll 
08-Oct-2001  14:28  5.0.2195.4016   62,736  Adsmsext.dll
08-Oct-2001  14:28  5.0.2195.4384  364,816  Advapi32.dll 
08-Oct-2001  14:28  5.0.2195.4141  133,904  Dnsapi.dll 
08-Oct-2001  14:28  5.0.2195.4379   91,408  Dnsrslvr.dll 
08-Oct-2001  14:29  5.0.2195.4411  529,168  Instlsa5.dll 
08-Oct-2001  14:28  5.0.2195.4437  145,680  Kdcsvc.dll 
04-Oct-2001  17:00  5.0.2195.4471  199,440  Kerberos.dll 
04-Sep-2001  05:32  5.0.2195.4276   71,024  Ksecdd.sys 
27-Sep-2001  11:58  5.0.2195.4411  511,248  Lsasrv.dll 
06-Sep-2001  14:31  5.0.2195.4301   33,552  Lsass.exe 
27-Sep-2001  11:59  5.0.2195.4285  114,448  Msv1_0.dll 
08-Oct-2001  14:28  5.0.2195.4153  312,080  Netapi32.dll 
08-Oct-2001  14:28  5.0.2195.4357  370,448  Netlogon.dll 
08-Oct-2001  14:28  5.0.2195.4464  912,656  Ntdsa.dll 
08-Oct-2001  14:28  5.0.2195.4433  387,856  Samsrv.dll 
08-Oct-2001  14:28  5.0.2195.4117  111,376  Scecli.dll 
08-Oct-2001  14:28  5.0.2195.4476  299,792  Scesrv.dll 
08-Oct-2001  14:28  5.0.2195.4025   50,960  W32time.dll 
01-Aug-2001  17:44  5.0.2195.4025   56,592  W32tm.exe 
08-Oct-2001  14:28  5.0.2195.4433  125,712  Wldap32.dll

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.

MORE INFORMATION

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product

For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:

296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot

For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:

249149 Installing Microsoft Windows 2000 and Windows 2000 Hotfixes

Modification Type:MinorLast Reviewed:9/26/2005
Keywords:kbHotfixServer kbQFE kbbug kbenv kbfix kbSecurity kbWin2000PreSP3Fix kbWin2000sp3fix KB306131
©2004 Microsoft Corporation. All rights reserved.