When the application on your member server uses Kerberos to authenticate users, you experience a delay in user authentication and an increase in RPC (Remote Procedure Call) traffic between the authenticating domain controller and your member server.

If you enable debug logging for the Net Logon service on the DC and / or member server, the System log contains:

\[LOGON\] SamLogon: Generic logon of \(null) from (null) Package:Kerberos Entered

This behavior occurs because the Kerberos client verifies the PAC (Privilege Attribute Certificate) signature in the Kerberos ticket, to prevent PAC spoofing, because all user-mode applications are considered to be untrusted callers.

Microsoft is aware of this problem.

To enable debug logging for the Net Logon service, we will use REG.EXE, built into Windows XP and Windows Server 2003, or installed from the Windows 2000 Support Tools:

1. Open a CMD.EXE windows.

2. Type the following commands, pressing Enter after each line:

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters /V DBFlag /T REG_DWORD /F /D 0x2080FFFF
net stop "Net Logon"
net start "Net Logon"

To disable debug logging for the Net Logon service:

1. Open a CMD.EXE windows.

2. Type the following commands, pressing Enter after each line:

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters /V DBFlag /T REG_DWORD /F /D 0x0
net stop "Net Logon"
net start "Net Logon"