message size incompatible with type error for krb5-1.9 lib using Windows 2003 KDC
Greg Hudson
ghudson at MIT.EDU
Wed Feb 16 11:37:55 EST 2011
On Wed, 2011-02-16 at 10:16 -0500, Elzey, Blaine A (Blaine) wrote:
> "Message size is incompatible with encryption type" minor error is returned during gss_accept_sec_context. Previous error was "Encryption type not permitted" which was fixed by adding allow_weak_crypto = true to server's krb5.conf. This scenario is using SPNEGO. Any ideas what might be the problem, or a good place to look?
>
> Server (DNS) Solaris 10 with krb5-1.9 libraries
> KDC: Windows 2003 SP2 (32-bit)
> Client: binary on KDC (Windows SSPI) or statically linked krb5-1.1.1 binary on Server
I think this is a variation on:
http://mailman.mit.edu/pipermail/kerberos/2011-February/017033.html
http://mailman.mit.edu/pipermail/kerberos/2011-February/017035.html
although without the cross-realm. The code fix in the second message
should be applicable, if you're in a position to recompile.
People who are more familiar with AD: is there a way to flag a service
principal as not needing a PAC in its service tickets, as a workaround
for this kind of problem?
More information about the krbdev
mailing list