UDP and fragmentation

Greg Hudson ghudson at MIT.EDU
Wed Sep 15 12:16:40 EDT 2010


On Tue, 2010-09-14 at 00:45 -0400, Victor Sudakov wrote:
> Greg Hudson wrote:
> > > BTW what can make Kerberos packets so big? Microsoft says: "Depending
> > > on a variety of factors including security identifier (SID) history
> > > and group membership, some accounts will have larger Kerberos
> > > authentication packet sizes." What's there inside? Long principal
> > > names? Long keys?
> 
> > An Active Directory KDC will include authorization data within a
> > Kerberos ticket which includes the set of groups you are a member of.
> > If that's a lot of groups, then your ticket will be large.
> 
> It is very interesting. Where is room in a Kerberos ticket for
> such data?

The KDC-REP contains a Ticket, which contains an EncTicketPart, which
contains AuthorizationData.  That's where the PAC is stored, which
contains (among other things) the list of groups.

Your packet traces may not be able to show you the authorization data
since it's within an encrypted blob, and the key for that blob is not
generally known by the client.  (The PAC information is for the benefit
of the service, not the client.)





More information about the Kerberos mailing list