Kerb-005 Kerberos windows servers modification

Kerberos servers Registry modification

Add specific Registry Key on Web and SQL server to force Kerberos protocol to use TCP protocol. In deed Microsoft windows system uses by default UDP witch may cause a lot of perturbation. For example, a user who will be member of a lot of active directory global groups will not be able to be impersonated properly by the bi service accounts because the protocol won’t be able to carry all of his credential. To avoid such perturbation you must activate the MaxPacketSize property

Activation Registry key MaxPacketSize (Windows 2008; Windows 2003)

Key to force Kerberos communication trough TCP protocol (by default UDP)

Start Registry Editor (Regedt32.exe).

Locate and click the following key in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters

On the Edit menu, click Add Value, and then add the following registry value:

Value name: MaxPacketSize

Data type: REG_DWORD

Radix: Decimal

Value: 1 

Quit Registry Editor.

Restart

Please refer to http://support.microsoft.com/kb/244474 for further information.

Windows 2008 specific Bug on AES algorithm

More over,  there is a specific BUG on Kerberos on AES algorithm on Windows 2008 server (not on Windows 2003 and Windows 2008 R2). You must apply the patch describes in  http://support.microsoft.com/kb/969083 (the patch delivered is for vista and 2008) on each server of the architecture on W2008.