Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Kerberos Error KRB5KRB_ERR_RESPONSE_TOO_BIG in packet capture

 

Information

 

Summary:

How to get past Kerberos Error KRB5KRB_ERR_RESPONSE_TOO_BIG in packet capture.

Environment:

Product: LoadMaster

Version: Any

Platform: Any

Application: Any

Question/Problem Description:

Kerberos authentication is not working and the error shown when taking a packet capture is KRB5KRB_ERR_RESPONSE_TOO_BIG

Steps to Reproduce:  
Error Message: KRB5KRB_ERR_RESPONSE_TOO_BIG
Defect Number:  
Enhancement Number:  
Cause: There is a maximum UDP packet size in TGS_REP and Authentication Service Replies (AS_REP) messages. If the packet size exceeds this value, the KDC returns a "KRB_ERR_RESPONSE_TOO_BIG" message that requests that the client switches to TCP.
Resolution: You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps:
  • Start Registry Editor.
  • Locate and then click the registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
    Note: If the Parameters key does not exist, create it now.
  • On the Edit menu, point to New, and then click DWORD Value.
  • Type MaxPacketSize, and then press ENTER.
  • Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
  • Quit Registry Editor.
  • Restart your computer.
Workaround:  
Notes: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/force-kerberos-use-tcp-instead-udp

Was this article helpful?
0 out of 0 found this helpful

Comments