message size incompatible with type error for krb5-1.9 lib using Windows 2003 KDC

Greg Hudson ghudson at MIT.EDU
Wed Feb 16 11:37:55 EST 2011

On Wed, 2011-02-16 at 10:16 -0500, Elzey, Blaine A (Blaine) wrote:
> "Message size is incompatible with encryption type" minor error is returned during gss_accept_sec_context.  Previous error was "Encryption type not permitted" which was fixed by adding allow_weak_crypto = true to server's krb5.conf.  This scenario is using SPNEGO.  Any ideas what might be the problem, or a good place to look?
> Server (DNS) Solaris 10 with krb5-1.9 libraries
> KDC: Windows 2003 SP2 (32-bit)
> Client: binary on KDC (Windows SSPI) or statically linked krb5-1.1.1 binary on Server

I think this is a variation on:

although without the cross-realm.  The code fix in the second message
should be applicable, if you're in a position to recompile.

People who are more familiar with AD: is there a way to flag a service
principal as not needing a PAC in its service tickets, as a workaround
for this kind of problem?

More information about the krbdev mailing list