AW: AD integration (ticket size) question

Eichhorn, Thomas Thomas.Eichhorn at klinikum-nuernberg.de
Wed Nov 16 04:12:20 EST 2016


Hi,

With Domain functional level "Windows Server 2012" comes a new Group Policy to set a maximum for the Kerberos SSPI context token buffer size.

https://technet.microsoft.com/en-us/library/understanding-active-directory-functional-levels(v=ws.10).aspx

https://technet.microsoft.com/en-us/library/hh831747.aspx  (Search for "Group Policy to set a maximum for the Kerberos SSPI context token buffer size")

Maybe this setting could fix your problem.

Best regards,
Thomas

-----Ursprüngliche Nachricht-----
Von: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] Im Auftrag von Jerry Shipman
Gesendet: Dienstag, 15. November 2016 20:04
An: kerberos at mit.edu
Betreff: AD integration (ticket size) question

Hello,

This is probably not a great question for this list -- I apologize. But, I figured you all would have a better idea than I do.

We have cross-realm authentication with an Active Directory installation. We run into occasional issues with the AD kerberos tickets being too large to fit into applications buffers, etc -- I guess because of all the group information in the PAC (i.e. users who are in a lot of AD groups have larger tickets).

On my side of the integration, we're never using that PAC information anyway. Is there a way that I can get rid of that information, either on the KDC side or on the client side?
I am thinking things like:
1. maybe there is a way in the kerberos client code to make the request to AD, to ask it not to put that stuff in there, and give a smaller ticket?
2. or maybe there is a configuration option on the MIT KDC, that will strip that information out while it's building the tickets for the MIT realm? (I'm not sure if this is technically possible.)
3. or maybe there is a configuration option on AD to tell it to filter out that information when it is issuing cross-realm tickets just to that one (MIT) realm?
Or something I didn't think of.

I don't know if I would be able to implement any of those, even if they are possible...but, I am curious about whether there are any options.

Thanks a lot,
Jerry Shipman



________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________


Klinikum Nürnberg, Sitz: Nürnberg, Amtsgericht Nürnberg -Registergericht- HRA 14190, Vorstand: Dr. Alfred Estelmann



More information about the Kerberos mailing list