is launched, Click below image to access it is launched, Click below image to access it
Technology and Entertainment Blog

Cannot send mailslot to 'DC' via browser

Title: Cannot send mailslot to 'DC' via browser


The NetDiag Redirection and Browser test failed with error "[FATAL] Cannot send mailslot message to 'DC Name' via browser". A limitation on the UDP packet size may cause this error.

A limitation on the UDP packet size may cause this error. The Windows Kerberos authentication package is the default authentication package in Windows Server 2003, in Windows Server 2008
. It coexists with the NTLM challenge/response protocol and is used in instances where both a client and a server can negotiate Kerberos. Client should send a User Datagram Protocol (UDP) datagram to port 88 at the IP address of the Key Distribution Center (KDC) when a client contacts the KDC.

The KDC should respond with a reply datagram to the sending port at the sender's IP address. The RFC also states that UDP must be the first protocol that is tried.

To Resolve :
By default, the maximum size of datagram packets for which Windows Server 2003 uses

UDP is 1,465 bytes. For Windows XP and for Windows 2000, this maximum is 2,000

bytes. Transmission Control Protocol (TCP) is used for any datagrampacket that is larger

than this maximum. The maximum size of datagram packets for which UDP is used can be

changed by modifying a registry key and value.

By default, Kerberos uses connectionless UDP datagram packets. Depending on a variety

of factors including security identifier (SID) history and group membership, some

accounts will have larger Kerberos authentication packet sizes. Depending on the virtual private network (VPN) hardware configuration, these larger packets have to be fragmented when going through a VPN. The problem is caused by fragmentation of these large UDP

Kerberos packets. Because UDP is a connectionless protocol, fragmented UDP packets will be dropped if they arrive at the destination out of order.

If you change MaxPacketSize to a value of 1, you force the client to use TCP to send Kerberos traffic through the VPN tunnel. Because TCP is connection oriented, it is a more reliable means of transport across the VPN tunnel. Even if the packets are dropped, the server will re-request the missing data packet.

You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP.

To do this, follow these steps:
1.    Start Registry Editor.
2.    Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
Note If the Parameters key does not exist, create it now.
3.    On the Edit menu, point to New, and then click DWORD Value.
4.    Type MaxPacketSize, and then press ENTER.
5.    Double-click MaxPacketSize, type 1 in the Value data box, click to select the

Decimal option, and then click OK.
6.    Quit Registry Editor.
7.    Restart your computer.

Keyword: browser test failed

No comments: