KRB Response Too Big -> Switch to TCP - Kerberos

This is a discussion on KRB Response Too Big -> Switch to TCP - Kerberos ; Hi, When a KRB5KRB_ERR_RESPONSE_TOO_BIG occurs on UDP, the packet retransmit through TCP? Why is that? I thought the fragmentation is done in IP level. Am I missing something? Thanks Joe...

+ Reply to Thread
Results 1 to 2 of 2

Thread: KRB Response Too Big -> Switch to TCP

  1. KRB Response Too Big -> Switch to TCP

    Hi,

    When a KRB5KRB_ERR_RESPONSE_TOO_BIG occurs on UDP, the packet
    retransmit through TCP? Why is that? I thought the fragmentation is
    done in IP level. Am I missing something?

    Thanks
    Joe


  2. Re: KRB Response Too Big -> Switch to TCP

    Hi Joe,
    The kerberos token has a fixed size. It a user is a member of a group
    either directly or by membership in another group, the security ID for
    that group is added to a user's token.
    For a SID to be added to the user's token, it must be communicated by
    using the Kerberos token.

    Not sure if this addresses your issue, but you can set the token size
    via

    regedt32
    HKML\System\CurrentControlSet\Control\LSA\Kerberos \Parameters\
    MaxTokensize, Data type REG_DWORD Decimal Value 65535

    the default maxtokensize is 12000 decimal
    Kerberos tickets is transmitted by default via UDP, if you need it to
    be transmitted via TCP
    You can do the following

    1. Start Registry Editor.
    2. Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\Lsa\
    Kerberos\Parameters
    Note If the Parameters key does not exist, create it now.
    3. On the Edit menu, point to New, and then click DWORD Value.
    4. Type MaxPacketSize, and then press ENTER.
    5. Double-click MaxPacketSize, type 1 in the Value data box, click to
    select the Decimal option, and then click OK.
    6. Quit Registry Editor.
    7. Restart your computer.

    Joe wrote:
    > Hi,
    >
    > When a KRB5KRB_ERR_RESPONSE_TOO_BIG occurs on UDP, the packet
    > retransmit through TCP? Why is that? I thought the fragmentation is
    > done in IP level. Am I missing something?
    >
    > Thanks
    > Joe



+ Reply to Thread