UDP and fragmentation
Victor Sudakov
vas at mpeks.no-spam-here.tomsk.su
Tue Sep 14 00:45:25 EDT 2010
Greg Hudson wrote:
> > BTW what can make Kerberos packets so big? Microsoft says: "Depending
> > on a variety of factors including security identifier (SID) history
> > and group membership, some accounts will have larger Kerberos
> > authentication packet sizes." What's there inside? Long principal
> > names? Long keys?
> An Active Directory KDC will include authorization data within a
> Kerberos ticket which includes the set of groups you are a member of.
> If that's a lot of groups, then your ticket will be large.
It is very interesting. Where is room in a Kerberos ticket for
such data?
I have tried to examine the large Active Directory KDC packets with
Wireshark and found nothing unusual (I think nothing I have not
already seen in Heimdal packets).
> Another way Kerberos packets can get big is Diffie-Hellman values
> conveyed for PKINIT during initial authentication.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Kerberos
mailing list