Group Policy settings are not applied when a user in an external Kerberos realm logs on to a Windows XP Professional-based or to a Windows 2000 Professional-based computer in a child domain

A user in an external Kerberos realm logs on to a Microsoft Windows XP Professional-based computer or to a Microsoft Windows 2000 Professional-based computer in a child domain. Group Policy settings from a Microsoft Windows Server 2003-based domain controller in the parent domain are not applied.

This issue occurs because of increased security in Microsoft Windows Server 2003.

This is a client-side fix. To resolve the issue, you must, at a minimum, install the hotfix on all client computers in the child domain. You must apply the hotfix to the following computers:

• Windows Server 2003-based clients in the child domain
• Windows XP Professional-based clients in the child domain
• Windows 2000 Professional-based clients in the child domain

If any one of the Windows 2000-based or Windows Server 2003-based servers or domain controllers are performing client-side authentication requests for external Kerberos realm accounts, the hotfix should also be installed on these computers.

Note This problem does not just apply to child domains. This problem can occur across other transitive trust relationships. For example, the problem can occur in a domain in a different tree if a trusting domain in the same forest trusts an external Kerberos realm.

Windows Server 2003 service pack information

To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Windows Server 2003 hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

No prerequisites are required.

Restart requirement

You must restart the computer after you apply the hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Server 2003, x-64-based versions

Windows Server 2003, Enterprise Edition for Itanium-based Systems

Windows Server 2003, 32-bit versions

Windows XP Professional hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

Windows XP Service Pack 2 (SP2)

Restart requirement

You must restart the computer after you apply the hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows 2000 Professional hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

Windows 2000 Service Pack 4 (SP4)

Restart requirement

You must restart the computer after you apply the hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

To work around this issue, use one of the following methods:

• Match the passwords for the external user account and for the currently mapped Windows user account in the parent domain.
• Map the external Kerberos realm user account to an account in the child domain.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Microsoft Windows Server 2003 Service Pack 2.

This issue occurs after the following sequence of events:

1. The Kerberos client queries the external realm to obtain the domain controller account.
2. The external realm does not have the domain controller computer account from the parent domain. Therefore, the external realm returns a response of "unknown principal."
3. The Kerberos client queries the child domain to obtain the domain controller account.
4. The child domain issues a cross-realm Ticket Granting Ticket (TGT). Because the original TGT from the external realm does not contain a Privilege Attribute Certificate (PAC), the child domain creates a new PAC. This new PAC contains the parent domain groups to which the user belongs.
5. The Kerberos client follows the referral to the parent domain. When the parent domain receives a cross-realm TGT that contains a PAC that includes security identifiers (SIDs) from its own domain, the parent domain refuses the TGT.

Windows Server 2003 security features verify that SIDs from a Key Distribution Center (KDC) in a trusted realm are not included in the PACs from another realm. This behavior helps prevent KDCs from obtaining increased rights in a realm that the KDCs do not maintain.

With this hotfix, the client computers can negotiate the trust path successfully. The client computers avoid the situation where a Windows Server 2003 KDC is presented with a PAC that includes SIDs from the Windows Server 2003 realm.

Windows 2000 Server does not have this additional SID filtering capability. Therefore, this issue does not occur in a Windows 2000 Server-based domain.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

Technical support for x64-based versions of Microsoft Windows

Your hardware manufacturer provides technical support and assistance for x64-based versions of Windows. Your hardware manufacturer provides support because an x64-based version of Windows was included with your hardware. Your hardware manufacturer might have customized the installation of Windows with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your x64-based version of Windows. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.

For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site: For product information about x64-based versions of Microsoft Windows Server 2003, visit the following Microsoft Web site: