You experience a delay in the user-authentication process when you run a high-volume server program on a domain member in Windows 2000 or Windows Server 2003 (906736)
The information in this article applies to:
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
SYMPTOMSWhen you run a high-volume server program on a domain member that uses Kerberos to authenticate
users, you experience a delay in
the user-authentication
process. Additionally, you notice an increase in the remote procedure call (RPC) traffic between the domain
controller that uses the Net Logon RPC interface and the server.
When you enable debug logging for the Net Logon service on the domain member or on the domain controller, the
following entry is logged in the in the System log: [LOGON] SamLogon: Generic logon of
<domain name>\(null) from (null)
Package:Kerberos EnteredCAUSEThis problem occurs because the Kerberos client verifies the Privilege Attribute Certificate (PAC) signature
in the Kerberos ticket by using the domain controller. The Kerberos client performs this verification to
prevent PAC spoofing. The increased
network traffic is generated by
the RPC requests that
are part of this verification process.
The
Kerberos client performs
this verification only
for untrusted callers.
User-mode
applications
are recognized as untrusted callers.STATUSMicrosoft
has confirmed that this is a problem in the Microsoft products that are listed
in the "Applies to" section.
Modification Type: | Minor | Last Reviewed: | 2/23/2006 |
---|
Keywords: | kbtshoot kbBug KB906736 kbAudITPRO kbAudEndUser |
---|
|