UDP and fragmentation

Victor Sudakov vas at mpeks.no-spam-here.tomsk.su
Tue Sep 14 00:45:25 EDT 2010


Greg Hudson wrote:
> > BTW what can make Kerberos packets so big? Microsoft says: "Depending
> > on a variety of factors including security identifier (SID) history
> > and group membership, some accounts will have larger Kerberos
> > authentication packet sizes." What's there inside? Long principal
> > names? Long keys?

> An Active Directory KDC will include authorization data within a
> Kerberos ticket which includes the set of groups you are a member of.
> If that's a lot of groups, then your ticket will be large.

It is very interesting. Where is room in a Kerberos ticket for
such data?

I have tried to examine the large Active Directory KDC packets with
Wireshark and found nothing unusual (I think nothing I have not
already seen in Heimdal packets).

> Another way Kerberos packets can get big is Diffie-Hellman values
> conveyed for PKINIT during initial authentication.


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/



More information about the Kerberos mailing list