very long login times for certain user accounts

Discussion in 'Active Directory' started by Mike, Sep 28, 2006.

  1. Mike

    Mike Guest

    We have a small single domain (no-subs) network running WIN2003 sp1 servers.
    We have so far 2 accounts that have experienced a very long time to login and
    logoff. Approximately 10 mins. We have re-created of of those accounts and it
    has been fine until now. There are successfull login entries for that id in
    the security log of one of the DC's. It definately is not machine specific,
    that was tested and ruled out. One thing we have observed during
    troubleshooting is that there is a corealation (it seems) between the length
    of the user names and the amount of group memberships. I have setup test
    accounts with short and long names with same group membership as toubled
    accounts. The short named account is fine the long named acouunt has that
    issue. If I remove the group memberships on test account with long name it's
    fine.

    ????
    Thank you
     
    Mike, Sep 28, 2006
    #1
    1. Advertisements

  2. I can't think the length of the user name would matter.

    Are you using roaming profiles?
    Event logs give you any clues?
    Group policy issues?
     
    Lanwench [MVP - Exchange], Sep 28, 2006
    #2
    1. Advertisements

  3. Mike

    Jorge Silva Guest

    Hi
    Only 2 users?
    what about the others?
    check what Lanwench said and also differences in network configuration.

    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
    "Lanwench [MVP - Exchange]"
     
    Jorge Silva, Sep 28, 2006
    #3
  4. In
    If you are having problems with the "long names", which I assume that you
    are talking about the UPN (Universal Principal Name), such as
    , then that would indicate it cannot contact a GC. Same
    if you put it in a universal group. Both of these will force it to enumerate
    the name or group in the GC (Global Catalog). THe GC is found by querying
    for the gc.msdcs.domain.com record, one of the SRV records in DNS.

    Therefore, this may look more like a DNS problem, or a domain name problem.
    Rule of thumb (just to get this out of the way), is to only specifiy the
    internal DC/DNS servers in ALL domain machines' IP properties (DCs, member
    servers and clients), otherwise numerous issues will result if an ISP's DNS
    or the LInksys router's address is specified as a DNS address.

    Another issue that can cause this (either in conjunction with the above or a
    standalone), is if the domain name is a single label name ("DOMAIN" rather
    than the required format of 'domain.com', or 'childdomain.domain.com', etc).

    To better assist, it will be helpful if you can please post an unedited
    ipconfig /all of one of the DCs and of a workstation.

    --
    Ace
    Innovative IT Concepts, Inc
    Willow Grove, PA

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, I suggest to use OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to
    news.microsoft.com. This is a direct link to the Microsoft Public
    Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
    to easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject.
    It's easy:

    How to Configure OEx for Internet News
    http://support.microsoft.com/?id=171164

    Infinite Diversities in Infinite Combinations
    Assimilation Imminent. Resistance is Futile
    "Very funny Scotty. Now, beam down my clothes."

    The only constant in life is change...
     
    Ace Fekay [MVP], Sep 29, 2006
    #4
  5. Mike

    Irv Guest

    How many groups are these guys in? If it's quite a few then you could try
    forcing Kerberos to use TCP instead of UDP

    HKLM\system\currentcontrolSet\Control\LSA\Kerberos\Parameters

    If "Parameters does ot exist create it

    Add Value "MaxPacketSize"
    DataType DWord
    Value 1

    Reboot PC

    Cheers,

    Irv
     
    Irv, Sep 29, 2006
    #5
  6. Mike

    Mike Guest

    Problem solved.....we have a firewall that had udp:88 open but not tcp:88.
    Since the KDC will require tcp for the authentication process for certain
    users (based on account info) it was blocking that particular login attempt.

    Thank you all very much for your advice and help.
     
    Mike, Sep 29, 2006
    #6
  7. In
    Glad you figured it out!

    :)

    Ace
     
    Ace Fekay [MVP], Oct 5, 2006
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.