Unless you have been in the trenches with Kerberos, you may not be aware that Windows 2003 and XP use Kerberos via UDP by default. By far the biggest implication of this is that if authentication packets get fragmented (usually happens when traversing a wan), the UDP packets are not retransmitted. This can cause delays when logging in, or during the login process. I have seen this at enough companies now to wonder why this is the default. In some cases the login process can take up to 15 minutes at a remote site connected by a VPN over an idle T1. Once Kerberos is forced to use TCP, the problem is resolved. One can only hope this is one of the changes in Vista/Windows Server 2008, or give it a changeable option in group policy. As it stands now it is only changeable as a registry key change, and if you want to change is using group policy you must create a custom Administrative Template and the policy is not fully manageable (it is treated more like a preference.) For more info on the Kerberos vs. TCP/UDP:
http://support.microsoft.com/kb/244474
Wednesday, December 12, 2007
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment