information about Kerberos error of KRB_ERR_RESPONSE_TOO_BIG.??

Surendra Babu A surendra.a at samsung.com
Thu Feb 23 03:41:26 EST 2006 

Dear Kerbros Team,

I need some information about Kerberos error of KRB_ERR_RESPONSE_TOO_BIG.

My question is:
============
1. With our implementation of Kerberos (we are using MIT), we are not seeing this error when we use UDP connection in Windows environment. (KDC server is at : Windows 2000 server , service pack4). 

But some other kerberos implementation (used same MIT code) is giving the error of KRB_ERR_RESPONSE_TOO_BIG with the same Windows KDC Server.

Could you please let me know why we are seeing this difference? Any specific reason for this in my implementation?

Thanks a lot in advance,
-Surendra

  ----- Original Message ----- 
  From: Douglas E. Engert 
  To: Surendra Babu A 
  Cc: kerberos at mit.edu 
  Sent: Friday, February 03, 2006 9:12 PM
  Subject: Re: Shall I capture Kerberos-password failure error message ALONE?




  Surendra Babu A wrote:

  > And one more thing: I am using Windows 2003 exchange server as my KDC server.

  AD does have alert messages about KDC failures. Note that the password is never
  sent to the KDC. The KDC can only detect a failure if pre-auth is used, and the
  client returns a pre-auth response encrypted in the wrong key generated from
  the wrong password and salt.

  > 
  > Please let me know your thoughts.
  > 
  > Thank you,
  > -Surendra
  >   ----- Original Message ----- 
  >   From: Surendra Babu A 
  >   To: kerberos at mit.edu 
  >   Sent: Thursday, February 02, 2006 12:58 PM
  >   Subject: Shall I capture Kerberos-password failure error message ALONE?
  > 
  > 
  >   Hi Kerbros Team,
  > 
  >   If I enter the wrong passowrd at KDc client, the KDC server gives the response of PREAUTH_FAULRE error. Right? 
  > 
  >   1. Is there anyway, i can get password failure error message? Is it true that 
  >   "Password verification will be done before sending preauth failure message?" 
  > 
  > 
  >   2. Can I capture the error message of password failure alone (regardless of preauth failure error?) That means, if I enter the wrong password, the KDC server should reply with error. If I enter correct password, KDC should respond with SUCCESS message (without considering the preauth failure error). Is it possible with krb5 code?
  > 
  >   Please let me know your thoughts. Thank you.
  >   -Surendra
  > ________________________________________________
  > Kerberos mailing list           Kerberos at mit.edu
  > https://mailman.mit.edu/mailman/listinfo/kerberos
  > 
  > 

  -- 

    Douglas E. Engert  <DEEngert at anl.gov>
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois  60439
    (630) 252-5444

More information about the Kerberos mailing list