Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Group Policy settings are not applied when a user in an external Kerberos realm logs on to a Windows XP Professional-based or to a Windows 2000 Professional-based computer in a child domain


View products that this article applies to.

Symptoms

A user in an external Kerberos realm logs on to a Microsoft Windows XP Professional-based computer or to a Microsoft Windows 2000 Professional-based computer in a child domain. Group Policy settings from a Microsoft Windows Server 2003-based domain controller in the parent domain are not applied.

↑ Back to the top


Cause

This issue occurs because of increased security in Microsoft Windows Server 2003.

↑ Back to the top


Resolution

This is a client-side fix. To resolve the issue, you must, at a minimum, install the hotfix on all client computers in the child domain. You must apply the hotfix to the following computers:
  • Windows Server 2003-based clients in the child domain
  • Windows XP Professional-based clients in the child domain
  • Windows 2000 Professional-based clients in the child domain
If any one of the Windows 2000-based or Windows Server 2003-based servers or domain controllers are performing client-side authentication requests for external Kerberos realm accounts, the hotfix should also be installed on these computers.

Note This problem does not just apply to child domains. This problem can occur across other transitive trust relationships. For example, the problem can occur in a domain in a different tree if a trusting domain in the same forest trusts an external Kerberos realm.

Windows Server 2003 service pack information

To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100 How to obtain the latest service pack for Windows Server 2003

Windows Server 2003 hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

No prerequisites are required.

Restart requirement

You must restart the computer after you apply the hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Windows Server 2003, x-64-based versions
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Kerberos.dll5.2.3790.2452716,80025-May-200518:18x64SP1Not Applicable
Secur32.dll5.2.3790.2452122,88025-May-200518:18x64SP1Not Applicable
Wldap32.dll5.2.3790.2452399,36025-May-200518:18x64SP1Not Applicable
Wkerberos.dll5.2.3790.2452349,18425-May-200518:18x86SP1WOW
Wsecur32.dll5.2.3790.245266,56025-May-200518:18x86SP1WOW
Wwldap32.dll5.2.3790.2452178,68825-May-200518:18x86SP1WOW
Windows Server 2003, Enterprise Edition for Itanium-based Systems
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Kerberos.dll5.2.3790.335902,65625-May-200504:49IA-64NoneRTMQFE
Secur32.dll5.2.3790.335171,00825-May-200504:49IA-64NoneRTMQFE
Wldap32.dll5.2.3790.335426,49625-May-200504:49IA-64NoneRTMQFE
Wkerberos.dll5.2.3790.335342,01625-May-200504:49x86NoneWOW
Wsecur32.dll5.2.3790.33559,39225-May-200504:49x86NoneWOW
Wwldap32.dll5.2.3790.335162,30425-May-200504:49x86NoneWOW
Kerberos.dll5.2.3790.2452957,95225-May-200504:49IA-64SP1SP1QFE
Secur32.dll5.2.3790.2452190,97625-May-200504:49IA-64SP1SP1QFE
Wldap32.dll5.2.3790.2452453,12025-May-200504:49IA-64SP1SP1QFE
Wkerberos.dll5.2.3790.2452349,18425-May-200504:49x86SP1WOW
Wsecur32.dll5.2.3790.245266,56025-May-200504:49x86SP1WOW
Wwldap32.dll5.2.3790.2452178,68825-May-200504:49x86SP1WOW
Windows Server 2003, 32-bit versions
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Kerberos.dll5.2.3790.335342,01625-May-200516:48x86NoneRTMQFE
Secur32.dll5.2.3790.33564,51225-May-200516:48x86NoneRTMQFE
Wldap32.dll5.2.3790.335162,30425-May-200516:48x86NoneRTMQFE
Kerberos.dll5.2.3790.2452349,18425-May-200516:54x86SP1SP1QFE
Secur32.dll5.2.3790.245265,53625-May-200516:54x86SP1SP1QFE
Wldap32.dll5.2.3790.2452178,68825-May-200516:54x86SP1SP1QFE

Windows XP Professional hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

Windows XP Service Pack 2 (SP2)

Restart requirement

You must restart the computer after you apply the hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
File nameFile versionFile sizeDateTimePlatformSP requirementService branch
Kerberos.dll5.1.2600.2676295,93613-May-200517:10x86SP2SP2QFE
Wldap32.dll5.1.2600.2676172,03213-May-200517:10x86SP2SP2QFE

Windows 2000 Professional hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

Windows 2000 Service Pack 4 (SP4)

Restart requirement

You must restart the computer after you apply the hotfix.

Hotfix replacement information

This hotfix does not replace any other hotfixes.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
File nameFile versionFile sizeDateTimePlatform
Adsldp.dll5.0.2195.6613125,71219-Jun-200307:35x86
Adsldpc.dll5.0.2195.6701133,90419-Jun-200307:35x86
Adsmsext.dll5.0.2195.666762,73619-Jun-200307:35x86
Advapi32.dll5.0.2195.6876388,36823-Mar-200413:47x86
Browser.dll5.0.2195.686669,90423-Mar-200413:47x86
Dnsapi.dll5.0.2195.6824134,92823-Mar-200413:47x86
Dnsrslvr.dll5.0.2195.687692,43223-Mar-200413:47x86
Eventlog.dll5.0.2195.688347,88823-Mar-200413:47x86
Kdcsvc.dll5.0.2195.6890143,63223-Mar-200413:47x86
Kerberos.dll5.0.2195.7049207,12012-May-200501:20x86
Ksecdd.sys5.0.2195.682471,88820-Sep-200312:02x86
Lsasrv.dll5.0.2195.6987513,29615-Oct-200405:46x86
Lsass.exe5.0.2195.690233,55225-Feb-200411:29x86
Msv1_0.dll5.0.2195.6897123,15210-Mar-200414:07x86
Netapi32.dll5.0.2195.6949309,00810-Jun-200404:28x86
Netlogon.dll5.0.2195.6891371,47223-Mar-200413:47x86
Ntdsa.dll5.0.2195.68961,028,88023-Mar-200413:47x86
Samsrv.dll5.0.2195.6897388,36823-Mar-200413:47x86
Scecli.dll5.0.2195.6893111,37623-Mar-200413:47x86
Scesrv.dll5.0.2195.6903253,20023-Mar-200413:47x86
Sp3res.dll5.0.2195.70406,309,37620-Apr-200521:37x86
W32time.dll5.0.2195.682450,96023-Mar-200413:47x86
W32tm.exe5.0.2195.682457,10420-Sep-200312:02x86
Wldap32.dll5.0.2195.7049127,24812-May-200518:28x86

↑ Back to the top


Workaround

To work around this issue, use one of the following methods:
  • Match the passwords for the external user account and for the currently mapped Windows user account in the parent domain.
  • Map the external Kerberos realm user account to an account in the child domain.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was first corrected in Microsoft Windows Server 2003 Service Pack 2.

↑ Back to the top


More information

This issue occurs after the following sequence of events:
  1. The Kerberos client queries the external realm to obtain the domain controller account.
  2. The external realm does not have the domain controller computer account from the parent domain. Therefore, the external realm returns a response of "unknown principal."
  3. The Kerberos client queries the child domain to obtain the domain controller account.
  4. The child domain issues a cross-realm Ticket Granting Ticket (TGT). Because the original TGT from the external realm does not contain a Privilege Attribute Certificate (PAC), the child domain creates a new PAC. This new PAC contains the parent domain groups to which the user belongs.
  5. The Kerberos client follows the referral to the parent domain. When the parent domain receives a cross-realm TGT that contains a PAC that includes security identifiers (SIDs) from its own domain, the parent domain refuses the TGT.
Windows Server 2003 security features verify that SIDs from a Key Distribution Center (KDC) in a trusted realm are not included in the PACs from another realm. This behavior helps prevent KDCs from obtaining increased rights in a realm that the KDCs do not maintain.

With this hotfix, the client computers can negotiate the trust path successfully. The client computers avoid the situation where a Windows Server 2003 KDC is presented with a PAC that includes SIDs from the Windows Server 2003 realm.

Windows 2000 Server does not have this additional SID filtering capability. Therefore, this issue does not occur in a Windows 2000 Server-based domain.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Technical support for x64-based versions of Microsoft Windows

Your hardware manufacturer provides technical support and assistance for x64-based versions of Windows. Your hardware manufacturer provides support because an x64-based version of Windows was included with your hardware. Your hardware manufacturer might have customized the installation of Windows with unique components. Unique components might include specific device drivers or might include optional settings to maximize the performance of the hardware. Microsoft will provide reasonable-effort assistance if you need technical help with your x64-based version of Windows. However, you might have to contact your manufacturer directly. Your manufacturer is best qualified to support the software that your manufacturer installed on the hardware.

For product information about Microsoft Windows XP Professional x64 Edition, visit the following Microsoft Web site: For product information about x64-based versions of Microsoft Windows Server 2003, visit the following Microsoft Web site:

↑ Back to the top


Keywords: kbautohotfix, kbwinserv2003sp2fix, kbqfe, kbhotfixserver, kbbug, kbfix, KB892090

↑ Back to the top

Article Info
Article ID : 892090
Revision : 5
Created on : 10/9/2011
Published on : 10/9/2011
Exists online : False
Views : 379