RE: [ActiveDir] Outlook/Exchange Issue

[joe]

Title: Message

That is pretty easy to see in network traces, you will see a kerb packet being retried usually again and again. Also if you trace both sides you will see a kerb packet that starts out from one machine and never makes it to the other machine and some device, for some reason my experience is always with Cisco routers or load balancers, is tossing packets out because it doesn't like some fragmentation or the size of the packets and require IOS updates or configuration changes to fix. Alternatively I have seen improperly configured NIC cards cause the issue as well, again it has to do with packet size issues, etc.   From initial design, I think UDP was used because it was figured that kerberos would be used on well connected networks where UDP usually does fine and is faster because of less overhead. TCP is more common for poorly connected machines and requires the additional overhead to maintain the conversation properly. I believe the RFC actually only mentions UDP for the implementation.   Whether this is kerberos or not, this is again a case of doing a network trace to see exactly what is happening versus trying to guess from symptoms.     joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, February 01, 2005 2:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Outlook/Exchange Issue We have lots of kerberos authentication problems over VPN connections. The solution is to force kerberos to use TCP.   [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters] "MaxPacketSize"=dword:00000001   Not sure if that is your problem, but it's worth a shot.   BTW, does anyone why kerberos was designed to use UDP in the first place? Seems pretty silly to me. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Tuesday, February 01, 2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Outlook/Exchange Issue I have a frustrating problem: We have a W2k AD domain with 3 sites and 5 subnets – 3 bound to our HQ site and one each bound to our other two sites. These sites are connected by persistent VPN connections using our Nokia Checkpoint firewalls – two of our sites have dedicated T3 connections and the other site has a dedicated T1.Each site has a GC. I recently configured a laptop here in our main site for a user in our LA site. The laptop has a wired and wireless connection, however, our only site with wireless access is our main site – but since the user travels between sites periodically I configured the wireless connection as well. I installed Office 2000 from an administrative installation point at this site and configured Outlook to connect to our sole Exchange server here at our main site. I also set up the user’s Outlook profile from this site, connected to our Exchange server, synchronized the user’s mailbox (I set up Outlook in cached mode) and all worked well. After shipping the laptop to the user at the remote site, I got a call from the user. Outlook hangs after opening and gives me the “Not Responding” even after leaving it alone for 10+minutes. One of the other techs here is working on the problem and he tried repairing the Office installation, disabling the wireless connection, reinstalling Outlook, tried creating a new user profile, but nothing has been successful so far.   Has anyone experienced this before? If I have left out any info, please let me know and I will provide it.     Dan DeStefano