Clients are experiencing authentication problems and you've determined it is due to UDP fragmentation of Kerberos traffic. You want to force Kerberos traffic to go over TCP instead.
Run regedit.exe from the command line or Start Run.
In the left pane, expand HKEY_LOCAL_MACHINE System CurrentControlSet Control Lsa Kerberos Parameters.
Right-click on Parameters and select New DWORD value. Enter MaxPacketSize for the value name.
In the right pane, double-click on MaxPacketSize and enter 1.
Click OK.
> reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v[RETURN]
"MaxPacketSize" /t REG_DWORD /d 1
' This code forces Kerberos to use TCP ' ------ SCRIPT CONFIGURATION ------ strComputer = "<ComputerName>" ' e.g. rallen-w2k3 ' ------ END CONFIGURATION --------- const HKLM = &H80000002 strRegKey = "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" set objReg = GetObject("winmgmts:\\" & strComputer & _ "\root\default:StdRegProv") objReg.SetDwordValue HKLM, strRegKey, "MaxPacketSize", 1 WScript.Echo "Kerberos forced to use TCP for " & strComputer
If you have users that are experiencing extremely slow logon times (especially over VPN) or they are seeing the infamous "There are currently no logon servers available to service the logon request," then they may be experiencing UDP fragmentation of Kerberos traffic. One way to help identify if there is a problem with Kerberos is to have the users run the following command:
> netdiag /test:kerberos
Another source of information is the System event log on the clients. Various Kerberos-related events are logged there if problems with authentication occur.
For more information about Kerberos and UDP, see MS KB 244474 (How to Force Kerberos to Use TCP Instead of UDP).