Kerberos over IPSEC VPN

[andybosc]

I have setup an Ipsec VPN tunnel between 2 sites. Users at the remote site have had major difficulties logging on to windows. The process would take about an hour. I have found out that Kerberos is the cause of the problem, trying to send a 2000 byte UDP packet over a VPN tunnel that will not fragment any packets. There is a way to set Kerberos to transmit over TCP with a smaller MTU value, but this involves a huge amount of work modifying registry values in alot of PCs. Is there any other alternative?

Thanx.

 

[John Lewis]

Sounds like you've already been there, but just in case this is covered in

http://support.microsoft.com/default.aspx?scid=kb;en-us;244474

Don't think you will find a way around this without modifying the registry by some means. The problem you are having in it's self may cause problems with the Group Policy approach that is suggested in this situation.

Another option would be to put the registry settings in a .reg file and running that on each machine.

 

[bcastner]

There are several ways to push a registry change:

http://msdn.microsoft.com/library/d...w2kmag01/html/DistributingRegistryChanges.asp