UDP and fragmentation
Greg Hudson
ghudson at MIT.EDU
Mon Sep 13 16:14:45 EDT 2010
On Mon, 2010-09-13 at 05:21 -0400, Victor Sudakov wrote:
> BTW what can make Kerberos packets so big? Microsoft says: "Depending
> on a variety of factors including security identifier (SID) history
> and group membership, some accounts will have larger Kerberos
> authentication packet sizes." What's there inside? Long principal
> names? Long keys?
An Active Directory KDC will include authorization data within a
Kerberos ticket which includes the set of groups you are a member of.
If that's a lot of groups, then your ticket will be large.
Another way Kerberos packets can get big is Diffie-Hellman values
conveyed for PKINIT during initial authentication.
More information about the Kerberos
mailing list