Problem with cross realm trust and udp between AD and MIT

[Russell Shapiro]

I have a one way trust between AD KDC and MIT KDC, where MIT trusts
AD. This seems to mostly work where windows clients can retrieve MIT
service tickets. There are some windows accounts, however, where I
believe there are too many groups which causes problems. When trying
to get a service ticket from the MIT KDC with one of these windows
accts I get the following error message in the MIT kdc log:

ASN.1 encoding ended unexpectedly - while dispatching (udp)

We have tcp enabled for the MIT KDC but it seems that the windows
client only ever tries udp, which I'm assuming is too small for the
request based on the error message. It may be that we missed something
in the configuration of the MIT KDC so that it will tell the windows
client to try tcp instead? I set the MaxPacketSize to 1 on the windows
client to try and force tcp but that doesn't seem to work to the MIT
KDC. Is there anything we need to set to make sure that the request
will come over tcp, if that is, in fact, our problem? Any suggestions
or help on resolving this would be most appreciated. Ideally we
wouldn't even send the PAC data in the request to the MIT KDC but it
isn't clear that can be done either. Anu suggestions? Thanks in
advance.