A Kerberos Client Always Sends Client Addresses in Windows XP (318071)


The information in this article applies to:

  • Microsoft Windows XP Professional
This article was previously published under Q318071
For a Microsoft Windows 2000 version of this article, see .
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

The Microsoft Windows XP Kerberos client always asks for the client addresses to be added to the Ticket Granting Ticket (TGT) in the Authentication Service (AS) request.

You may not want this behavior to be used because the tickets are larger on the network. By default, Windows XP includes the addresses if it is a member of an Active Directory-based domain. Windows XP does not include the addresses if it is configured for a third-party realm.

Including the addresses in the ticket request and having the Key Distribution Centers (KDC) check them can cause problems if the client changes its IP address during the lifetime of the ticket, or if the client communicates with the KDC by using a Network Address Translation (NAT) service.

Note that a Microsoft Windows 2000-based KDC does not check these addresses.

MORE INFORMATION

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To enable the sending of the addresses on Windows XP-based client computers:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate and click the following key in the registry:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

  3. On the Edit menu, click Add Value, and then add the following registry value:

    Value name: ClientIpAddresses
    Data type: REG_DWORD
    Radix: Hexadecimal
    Value data: 0

  4. Quit Registry Editor.
NOTE: The value for ClientIpAddresses is 0 if it is not set, so the addresses are not sent. For computers that are members of Windows 2000-based domains, you do not have to set the registry key.

For third-party realms that require the client addresses, you can also selectively enable the addresses:
  1. Open a command prompt window.
  2. Obtain a copy of Ksetup.exe from the Support Tools.
  3. Run the following command:

    ksetup /setrealmflags your kerberos realm sendaddress

  4. You can use the /server switch to cause Ksetup to make the changes on a remote computer.
Modification Type:MajorLast Reviewed:11/19/2003
Keywords:kbenv kbinfo kbnetwork KB318071
©2003 Microsoft Corporation. All rights reserved.