Kerberos Negative Caching Causes Logon to Not Be Retried on PDC (306131)
The information in this article applies to:
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
This article was previously published under Q306131 SYMPTOMS
When a DC that is not the PDC fails an authentication with STATUS_WRONG_PASSWORD, STATUS_PASSWORD_EXPIRED, STATUS_PASSWORD_MUST_CHANGE or STATUS_ACCOUNT_LOCKED_OUT (collectively referred to later as BAD_PASSWORD_STATUS), the logon is retried at the PDC. In Windows 2000 Service Pack 2 (SP2), the Kerberos authentication package implements a negative-caching mechanism that would stop the forwarding of requests to the PDC if any of the preceding BAD_PASSWORD_STATUS statuses were returned after 1 logon request for a period of 5 minutes. This was implemented to help reduce the number of logon requests handled on the PDC.
CAUSE
When a DC receives an authentication attempt that results in a BAD_PASSWORD_STATUS status, a cache entry is made for the requestor. If Account Lockout is enabled, the cache entry is not created until the PDC returns STATUS_ACCOUNT_LOCKED_OUT. When a subsequent authentication attempt for that user name occurs that results in BAD_PASSWORD_STATUS, the DC forwards up to 10 logon requests, and once these are exceeded, the BDC will not forward requests to the PDC for 10 minutes. After 10 minutes, it an authentication at the BDC generates BAD_PASSWORD_STATUS, the request is retried again on the PDC. If the PDC returns BAD_PASSWORD_STATUS, no more logon requests are attempted for another 10 minutes on the PDC.
To determine how many times a failed logon will be retried at the PDC with account lockout, add 10 to the account lockout threshold. Note that if the AvoidPDCOnWan setting is enabled. the logon will not be retried on the PDC.
RESOLUTIONTo resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the
Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File name
--------------------------------------------------------
08-Oct-2001 14:28 5.0.2195.4472 123,664 Adsldp.dll
08-Oct-2001 14:28 5.0.2195.4308 130,832 Adsldpc.dll
08-Oct-2001 14:28 5.0.2195.4016 62,736 Adsmsext.dll
08-Oct-2001 14:28 5.0.2195.4384 364,816 Advapi32.dll
08-Oct-2001 14:28 5.0.2195.4141 133,904 Dnsapi.dll
08-Oct-2001 14:28 5.0.2195.4379 91,408 Dnsrslvr.dll
08-Oct-2001 14:29 5.0.2195.4411 529,168 Instlsa5.dll
08-Oct-2001 14:28 5.0.2195.4437 145,680 Kdcsvc.dll
04-Oct-2001 17:00 5.0.2195.4471 199,440 Kerberos.dll
04-Sep-2001 05:32 5.0.2195.4276 71,024 Ksecdd.sys
27-Sep-2001 11:58 5.0.2195.4411 511,248 Lsasrv.dll
06-Sep-2001 14:31 5.0.2195.4301 33,552 Lsass.exe
27-Sep-2001 11:59 5.0.2195.4285 114,448 Msv1_0.dll
08-Oct-2001 14:28 5.0.2195.4153 312,080 Netapi32.dll
08-Oct-2001 14:28 5.0.2195.4357 370,448 Netlogon.dll
08-Oct-2001 14:28 5.0.2195.4464 912,656 Ntdsa.dll
08-Oct-2001 14:28 5.0.2195.4433 387,856 Samsrv.dll
08-Oct-2001 14:28 5.0.2195.4117 111,376 Scecli.dll
08-Oct-2001 14:28 5.0.2195.4476 299,792 Scesrv.dll
08-Oct-2001 14:28 5.0.2195.4025 50,960 W32time.dll
01-Aug-2001 17:44 5.0.2195.4025 56,592 W32tm.exe
08-Oct-2001 14:28 5.0.2195.4433 125,712 Wldap32.dll
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows 2000 Service Pack 3.
Modification Type: | Minor | Last Reviewed: | 9/26/2005 |
---|
Keywords: | kbHotfixServer kbQFE kbbug kbenv kbfix kbSecurity kbWin2000PreSP3Fix kbWin2000sp3fix KB306131 |
---|
|