Problem with cross realm trust and udp between AD and MIT

Russell Shapiro russell_shapiro at
Wed Jun 23 07:05:29 EDT 2004

Thanks for your response. I don't see the /SetRealmFlags on my version
of KSETUP? Do I need a specific version? Here are the switches I see:

ksetup /?

/SetRealm DnsDomainName -- set name of RFC1510 Kerberos Realm
/MapUser Principal Account -- Map Kerberos Principal to account (* =
/AddKdc RealmName KdcName -- add additional KDC address for the given
/DelKdc RealmName KdcName -- delete instance(s) of KDC address for the
/AddKpasswd Realmname KpasswdName -- Add Kpasswd server address for a
/DelKpasswd Realmname KpasswdName -- Delete Kpasswd server address for
a realm
/Server Servername -- specify name of a Windows 2000 machine to target
/SetComputerPassword Password -- set the local machine's password
/Domain DomainName -- use this domain (blank for domain in your
logged-on domain
/ChangePassword OldPasswd NewPasswd -- change logged-on user's
password via Kpassword


Jeffrey Altman <jaltman2 at> wrote in message news:<40D90970.1040804 at>...
> Have you turned on TCP support on the MIT KDC?
> You need to use MIT KDC 1.3.x; turn on TCP support; and
> set the TcpSupported flag on the MIT realm with KSETUP.
> Jeffrey Altman
> Russell Shapiro wrote:
> > I have a one way trust between AD KDC and MIT KDC, where MIT trusts
> > AD. This seems to mostly work where windows clients can retrieve MIT
> > service tickets. There are some windows accounts, however, where I
> > believe there are too many groups which causes problems. When trying
> > to get a service ticket from the MIT KDC with one of these windows
> > accts I get the following error message in the MIT kdc log:
> > 
> > ASN.1 encoding ended unexpectedly - while dispatching (udp)
> > 
> > We have tcp enabled for the MIT KDC but it seems that the windows
> > client only ever tries udp, which I'm assuming is too small for the
> > request based on the error message. It may be that we missed something
> > in the configuration of the MIT KDC so that it will tell the windows
> > client to try tcp instead? I set the MaxPacketSize to 1 on the windows
> > client to try and force tcp but that doesn't seem to work to the MIT
> > KDC. Is there anything we need to set to make sure that the request
> > will come over tcp, if that is, in fact, our problem? Any suggestions
> > or help on resolving this would be most appreciated. Ideally we
> > wouldn't even send the PAC data in the request to the MIT KDC but it
> > isn't clear that can be done either. Anu suggestions? Thanks in
> > advance.

More information about the Kerberos mailing list