Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

  1. Kemp Support
  2. Knowledge Base
  3. SSO / ESP

Kerberos Error KRB5KRB_ERR_RESPONSE_TOO_BIG in packet capture

Updated

 

Information

 

Summary:

How to get past Kerberos Error KRB5KRB_ERR_RESPONSE_TOO_BIG in packet capture.
Environment:

Product: LoadMaster

Version: Any

Platform: Any

Application: Any
Question/Problem Description:

Kerberos authentication is not working and the error shown when taking a packet capture is KRB5KRB_ERR_RESPONSE_TOO_BIG
Steps to Reproduce:  
Error Message: KRB5KRB_ERR_RESPONSE_TOO_BIG
Defect Number:  
Enhancement Number:  
Cause: There is a maximum UDP packet size in TGS_REP and Authentication Service Replies (AS_REP) messages. If the packet size exceeds this value, the KDC returns a "KRB_ERR_RESPONSE_TOO_BIG" message that requests that the client switches to TCP.
Resolution: You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps:
  1. Start Registry Editor.
  2. Locate and then click the registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
    Note: If the Parameters key does not exist, create it now.
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type MaxPacketSize, and then press ENTER.
  5. Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
  6. Quit Registry Editor.
  7. Restart your computer.
Workaround:  
Notes: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/force-kerberos-use-tcp-instead-udp
Was this article helpful?
0 out of 0 found this helpful

Comments

In this document