A Kerberos Client Always Sends Client Addresses in Windows 2000 (317896)
The information in this article applies to:
- Microsoft Windows 2000 Server SP3
- Microsoft Windows 2000 Advanced Server SP3
- Microsoft Windows 2000 Professional SP3
This article was previously published under Q317896
For a Microsoft Windows XP version of this article, see 318071.
IMPORTANT: This article contains information about modifying the registry. Before you
modify the registry, make sure to back it up and make sure that you understand how to restore
the registry if a problem occurs. For information about how to back up, restore, and edit the
registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
SYMPTOMS
The Windows 2000 Kerberos client always asks for the client addresses to be added to the Ticket Granting Ticket (TGT) in the Authentication Service (AS) request.
You may not want this behavior to be used because the tickets are larger on the network. By default, Windows 2000 includes the addresses if it is a member of an Active Directory-based domain. Windows 2000 does not include the addresses if it is configured for a third-party realm.
Including the addresses in the ticket request and having the Key Distribution Centers (KDC) check them can cause problems if the client changes its IP address during the lifetime of the ticket, or if the client communicates with the KDC by using a Network Address Translation (NAT) service.
Note that a Windows 2000-based KDC does not check these addresses.
RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
: If you use Registry Editor incorrectly, you may cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee that you can solve
problems that result from using Registry Editor incorrectly. Use Registry Editor at your own
risk.
You can enable the sending of the addresses after you install Service Pack 3 (SP3) by making this registry change:
- Start Registry Editor (Regedt32.exe).
- Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters - On the Edit menu, click Add Value, and then add the following registry value:
Value name: ClientIpAddresses
Data type: REG_DWORD
Radix: Hexadecimal
Value data: 1 - Quit Registry Editor.
NOTE: The value for ClientIpAddresses is 0 if it is not set, so the addresses are not sent if SP3 is installed. For computers that are members of Windows 2000-based domains, you do not have to set the registry key.
For third-party realms that requires the client addresses, you can selectively enable the addresses by making this registry change:
- Start Registry Editor (Regedt32.exe).
- Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Domains\Realm DNS name - On the Edit menu, click Add Value, and then add the following registry value:
Value name: RealmFlags
Data type: REG_DWORD
Radix: Hexadecimal
Value data: 1 - Quit Registry Editor.
You must restart the computer for these registry changes to become active.
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows 2000 Service Pack 3.
| Modification Type: | Minor | Last Reviewed: | 10/13/2004 |
|---|
| Keywords: | kbbug kbfix kbSecurity kbWin2000PreSP3Fix kbWin2000sp3fix KB317896 |
|---|
|