Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

An update is available that introduces the NO_AUTH_REQUIRED flag to the UserAccountControl property in Windows Server 2003 and in Windows 2000


View products that this article applies to.

Summary

This article describes an update to the UserAccountControl property in Microsoft Windows Server 2003 and in Microsoft Windows 2000. This update introduces the following new flag to the property:
Flag                   Hexadecimal value   Decimal value
--------------------------------------------------------
NO_AUTH_DATA_REQUIRED  0x2000000           33554432
When you use Windows Server 2003 or Windows 2000 as a Kerberos Key Distribution Center (KDC) in a mixed environment, such as an environment that has Windows and Unix servers, the KDC adds Privilege Attribute Certificate (PAC) information to a service ticket. If you do not want to add PAC information to a service ticket for a user who is in Active Directory, you can set the NO_AUTH_DATA_REQUIRED flag for the user account after you install the update.

You may want to prevent PAC information from being added to service tickets in situations where the increased size of the service ticket causes issues with programs that use either the User Datagram Protocol (UDP) or remote procedure call (RPC) functionality. A PAC is large, and can increase the size of a ticket more than 500 percent. Tickets that do not have a PAC are approximately 240 bytes. Tickets that have a simple PAC may be approximately 1,200 bytes. Additionally, some services do not understand PAC information. If a PAC is present, services that do not understand the PAC information ignore it.

In a mixed Unix and Windows environment that uses a version of Kerberos that is one or two versions earlier than the current version, ticket requests may not work when a user is a member of many groups in Active Directory. This issue occurs if the PAC information that is added to the ticket increases the size of the ticket to more than the UDP limit of 2,000 bytes. In this situation, ticket requests fail for earlier Unix clients that cannot use TCP.

↑ Back to the top


More information

Because this update applies to Active Directory account properties, install this update on domain controllers. You do not have to install this update on workstations or member servers.

Windows Server 2003

Service pack information

To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100 How to obtain the latest service pack for Windows Server 2003

Windows Server 2003 and Windows 2000

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

You must have Windows Server 2003 or Windows 2000 Service Pack 4 (SP4) installed.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows Server 2003, x86-based versions
   Date         Time   Version       Size     File name
   -------------------------------------------------------
   14-Sep-2004  16:26  5.2.3790.210  226,816  Kdcsvc.dll
   14-Sep-2004  16:26  5.2.3790.210  324,608  Netapi32.dll
   14-Sep-2004  16:26  5.2.3790.210  464,384  Samsrv.dll
Windows Server 2003, x64-based versions
   Date         Time   Version            Size  File name      Platform
   --------------------------------------------------------------------
   14-Sep-2004  16:21  5.2.3790.210    586,752  Kdcsvc.dll     IA-64
   14-Sep-2004  16:21  5.2.3790.210    852,480  Netapi32.dll   IA-64
   14-Sep-2004  16:21  5.2.3790.210  1,036,288  Samsrv.dll     IA-64
   14-Sep-2004  16:26  5.2.3790.210    324,608  Wnetapi32.dll  x86
Windows 2000
   Date         Time   Version             Size  File name
   ----------------------------------------------------------
   24-Mar-2004  02:17  5.0.2195.6876    388,368  Advapi32.dll
   24-Mar-2004  02:17  5.0.2195.6866     69,904  Browser.dll
   24-Mar-2004  02:17  5.0.2195.6824    134,928  Dnsapi.dll
   24-Mar-2004  02:17  5.0.2195.6876     92,432  Dnsrslvr.dll
   24-Mar-2004  02:17  5.0.2195.6883     47,888  Eventlog.dll
   13-Jul-2004  20:34  5.0.2195.6939    148,752  Kdcsvc.dll
   11-Mar-2004  02:37  5.0.2195.6903    210,192  Kerberos.dll
   21-Sep-2003  00:32  5.0.2195.6824     71,888  Ksecdd.sys
   11-Mar-2004  02:37  5.0.2195.6902    520,976  Lsasrv.dll
   25-Feb-2004  23:59  5.0.2195.6902     33,552  Lsass.exe
   19-Jun-2003  20:05  5.0.2195.6680    117,520  Msv1_0.dll
   14-Sep-2004  16:26  5.2.3790.210     324,608  Netapi32.dll
   19-Jun-2003  20:05  5.0.2195.6695    371,984  Netlogon.dll
   24-Mar-2004  02:17  5.0.2195.6896  1,028,880  Ntdsa.dll
   14-Sep-2004  16:26  5.2.3790.210     464,384  Samsrv.dll
   24-Mar-2004  02:17  5.0.2195.6893    111,376  Scecli.dll
   24-Mar-2004  02:17  5.0.2195.6903    253,200  Scesrv.dll
   04-Jun-2004  23:13  5.0.2195.6935  5,887,488  Sp3res.dll
   24-Mar-2004  02:17  5.0.2195.6824     50,960  W32time.dll
   21-Sep-2003  00:32  5.0.2195.6824     57,104  W32tm.exe

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Windows Server 2003 Service Pack 1.

↑ Back to the top


References

For more information about the UserAccountControl attribute, click the following article numbers to view the articles in the Microsoft Knowledge Base:
305144 How to use the UserAccountControl flags to manipulate user account properties
269181 How to query Active Directory by using a bitwise filter
233209 Windows 2000 contacts and users
For more information about the new file naming schema for Microsoft Windows software update packages, click the following article number to view the article in the Microsoft Knowledge Base:
816915 New file naming schema for Microsoft Windows software update packages
For more information about the terminology that is used in this article, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top


Keywords: kbhotfixserver, kbqfe, kbwinserv2003sp1fix, kbwinserv2003presp1fix, kbbug, kbfix, kbwin2000presp5fix, kbautohotfix, KB832572

↑ Back to the top

Article Info
Article ID : 832572
Revision : 10
Created on : 10/11/2007
Published on : 10/11/2007
Exists online : False
Views : 554