Problem with cross realm trust and udp between AD and MIT

Jeffrey Altman jaltman2 at
Wed Jun 23 00:39:12 EDT 2004

Have you turned on TCP support on the MIT KDC?

You need to use MIT KDC 1.3.x; turn on TCP support; and
set the TcpSupported flag on the MIT realm with KSETUP.

Jeffrey Altman

Russell Shapiro wrote:
> I have a one way trust between AD KDC and MIT KDC, where MIT trusts
> AD. This seems to mostly work where windows clients can retrieve MIT
> service tickets. There are some windows accounts, however, where I
> believe there are too many groups which causes problems. When trying
> to get a service ticket from the MIT KDC with one of these windows
> accts I get the following error message in the MIT kdc log:
> ASN.1 encoding ended unexpectedly - while dispatching (udp)
> We have tcp enabled for the MIT KDC but it seems that the windows
> client only ever tries udp, which I'm assuming is too small for the
> request based on the error message. It may be that we missed something
> in the configuration of the MIT KDC so that it will tell the windows
> client to try tcp instead? I set the MaxPacketSize to 1 on the windows
> client to try and force tcp but that doesn't seem to work to the MIT
> KDC. Is there anything we need to set to make sure that the request
> will come over tcp, if that is, in fact, our problem? Any suggestions
> or help on resolving this would be most appreciated. Ideally we
> wouldn't even send the PAC data in the request to the MIT KDC but it
> isn't clear that can be done either. Anu suggestions? Thanks in
> advance.

This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

More information about the Kerberos mailing list