information about Kerberos error of KRB_ERR_RESPONSE_TOO_BIG.??

Jeffrey Altman jaltman2 at nyc.rr.com
Thu Feb 23 09:23:01 EST 2006 

KRB_ERR_RESPONSE_TOO_BIG is sent by the Windows KDC when the number of
groups to which the requested principal belongs results in a PAC,
Microsoft's authorization data structure, that when added to the
Kerberos ticket results in the the ticket being larger than the current
IP MTU size.   The error is an indication to the Kerberos client that
the client should switch to TCP instead of UDP.

Jeffrey Altman


Surendra Babu A wrote:
> Dear Kerbros Team,
> 
> I need some information about Kerberos error of KRB_ERR_RESPONSE_TOO_BIG.
> 
> My question is:
> ============
> 1. With our implementation of Kerberos (we are using MIT), we are not seeing this error when we use UDP connection in Windows environment. (KDC server is at : Windows 2000 server , service pack4). 
> 
> But some other kerberos implementation (used same MIT code) is giving the error of KRB_ERR_RESPONSE_TOO_BIG with the same Windows KDC Server.
> 
> Could you please let me know why we are seeing this difference? Any specific reason for this in my implementation?
> 
> Thanks a lot in advance,
> -Surendra
> 
>   ----- Original Message ----- 
>   From: Douglas E. Engert 
>   To: Surendra Babu A 
>   Cc: kerberos at mit.edu 
>   Sent: Friday, February 03, 2006 9:12 PM
>   Subject: Re: Shall I capture Kerberos-password failure error message ALONE?
> 
> 
> 
> 
>   Surendra Babu A wrote:
> 
>   > And one more thing: I am using Windows 2003 exchange server as my KDC server.
> 
>   AD does have alert messages about KDC failures. Note that the password is never
>   sent to the KDC. The KDC can only detect a failure if pre-auth is used, and the
>   client returns a pre-auth response encrypted in the wrong key generated from
>   the wrong password and salt.
> 
>   > 
>   > Please let me know your thoughts.
>   > 
>   > Thank you,
>   > -Surendra
>   >   ----- Original Message ----- 
>   >   From: Surendra Babu A 
>   >   To: kerberos at mit.edu 
>   >   Sent: Thursday, February 02, 2006 12:58 PM
>   >   Subject: Shall I capture Kerberos-password failure error message ALONE?
>   > 
>   > 
>   >   Hi Kerbros Team,
>   > 
>   >   If I enter the wrong passowrd at KDc client, the KDC server gives the response of PREAUTH_FAULRE error. Right? 
>   > 
>   >   1. Is there anyway, i can get password failure error message? Is it true that 
>   >   "Password verification will be done before sending preauth failure message?" 
>   > 
>   > 
>   >   2. Can I capture the error message of password failure alone (regardless of preauth failure error?) That means, if I enter the wrong password, the KDC server should reply with error. If I enter correct password, KDC should respond with SUCCESS message (without considering the preauth failure error). Is it possible with krb5 code?
>   > 
>   >   Please let me know your thoughts. Thank you.
>   >   -Surendra
>   > ________________________________________________
>   > Kerberos mailing list           Kerberos at mit.edu
>   > https://mailman.mit.edu/mailman/listinfo/kerberos
>   > 
>   > 
> 
>   -- 
> 
>     Douglas E. Engert  <DEEngert at anl.gov>
>     Argonne National Laboratory
>     9700 South Cass Avenue
>     Argonne, Illinois  60439
>     (630) 252-5444
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list