KRB Response Too Big -> Switch to TCP
WaiHon
wai.hon.lam at gmail.com
Wed Jul 26 14:22:53 EDT 2006
Hi Joe,
The kerberos token has a fixed size. It a user is a member of a group
either directly or by membership in another group, the security ID for
that group is added to a user's token.
For a SID to be added to the user's token, it must be communicated by
using the Kerberos token.
Not sure if this addresses your issue, but you can set the token size
via
regedt32
HKML\System\CurrentControlSet\Control\LSA\Kerberos\Parameters\
MaxTokensize, Data type REG_DWORD Decimal Value 65535
the default maxtokensize is 12000 decimal
Kerberos tickets is transmitted by default via UDP, if you need it to
be transmitted via TCP
You can do the following
1. Start Registry Editor.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\
Kerberos\Parameters
Note If the Parameters key does not exist, create it now.
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type MaxPacketSize, and then press ENTER.
5. Double-click MaxPacketSize, type 1 in the Value data box, click to
select the Decimal option, and then click OK.
6. Quit Registry Editor.
7. Restart your computer.
Joe wrote:
> Hi,
>
> When a KRB5KRB_ERR_RESPONSE_TOO_BIG occurs on UDP, the packet
> retransmit through TCP? Why is that? I thought the fragmentation is
> done in IP level. Am I missing something?
>
> Thanks
> Joe
More information about the Kerberos
mailing list