Loading your personal settings takes forever IPSec MTU PPPoE Active Directory Kerberos



I just spent a large amount of labor figuring out why remote computers
suddenly started taking forever to logn, I am posting this to help
others who might encounter the same issue with AD.

Windows hangs on login with "Loading your personal settings" computer
is behind IPSec device or PPPoE, where MTU size is lower than 1500.

The AD is installed and works fine until they add a lot of
users/machines (objects) to AD and then the kerberos data exchange is
larger that one UDP frame can handle, so it's fragmented, thus the
need for switching from UDP to TCP.

Although the Kerberos standard (RFC)was written to use UDP, TCP is a
better mechanism.

UDP does not guarantee deliver nor does it guarantee that packets are
delivered in order. Furthermore, UDP packets may fragment, and there
have been issues of intermediary network devices dropping fragmented
packets. What this means for a Kerberos implementation is that a
large packet may be fragments and due to the unreliability of UDP, the
Kerberos protocol may not complete successfully. For example, public
key Kerberos or a large number of group memberships will cause large
message sizes.

Computer is located behind a IPSec tunnel or PPPoE (DSL) device that
lowers the MTU. After pressing Control Alt Delete to logon to
windows, you enter your username and password. The screen Loading
your Personal Settings is misleading, as Kerberos authentication has
not completed. The Loading Your Personal Settings screen make take
25-45 minutes before logging on. The computer is still attempting to
obtain a Kerberos Ticket Granting Ticket. If you disconnect the
network cable the computer will login immediately.

A sniffer trace will show multiple attempts of UDP Packets connecting
to UDP Port 88 on the Domain Controller. The packets are larger than
the network MTU size due to the growth (objects) in Active Directory.

See Microsoft Knowledge Base Article Q244474 on how to set
MaxPacketSize=1 for Kerberos LSA. This registry change is only done
on the clients, not the domain controller.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question