If anyone is still interested in this…….I did some testing in a lab environment with 2008R2 machines that do NOT have the MaxPacketSize registry value. Here are the results:
With both DC and member server, with no MaxPacketSize registry value, all Kerberos 88 traffic is over TCP, not UDP With the MaxPacketSize registry value on the member server set to 20000, I see packets coming in to the domain controller, but the DC responds with KRB_ERROR_RESPONSE_TOO_BIG and the handshake switches over to TCP With the MaxPacketSize registry value on both server set to 20000, I see packets coming in to the domain controller, but the DC responds with KRB_ERROR_RESPONSE_TOO_BIG and the handshake switches over to TCP From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian Desmond Sent: Sunday, November 13, 2016 12:18 PM To: ntsysadm@lists.myitforum.com Subject: RE: [NTSysADM] Kerberos over UDP on Windows 10 and Server 2012 R2 I just looked and I can confirm that the client side default is 0 bytes on a Win7+ client for the max packet size to fallback to TCP. The server side default is still 1465 bytes as shown in the screenshot below. Thanks, Brian Desmond w – 312.625.1438 | c – 312.731.3132 From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Christopher Bodnar Sent: Thursday, November 10, 2016 1:40 PM To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com> Subject: RE: [NTSysADM] Kerberos over UDP on Windows 10 and Server 2012 R2 OK, based on this, I think he is correct: I’ve been running a WireShark trace on a few DCs today (2008 domains and 2012 domains), and not seeing any UDP 88 traffic. I did find this: [cid:image003.jpg@01D23F2E.E81BD7B0] https://technet.microsoft.com/en-us/library/cc738673(v=ws.10).aspx So basically since Vista, and 2008, if a Kerberos packet is over 1 byte (which will be everything) it will send it as TCP instead of UDP, since this registry key now is part of the operating system. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Kurt Buff Sent: Thursday, November 10, 2016 12:53 PM To: ntsysadm <ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>> Subject: Re: [NTSysADM] Kerberos over UDP on Windows 10 and Server 2012 R2 I'd ask that colleague where he got the idea. I'm not seeing any documentation on this either. But, I did see this, which is interesting, even if unrelated: http://blogs.msmvps.com/acefekay/2016/11/01/active-directory-flexible-authentication-secure-tunneling-fast/ Kurt On Thu, Nov 10, 2016 at 6:29 AM, Christopher Bodnar <christopher_bod...@glic.com<mailto:christopher_bod...@glic.com>> wrote: A colleague told me that these operating systems no longer use UDP 88 for Kerberos, that they only use TCP. Is that correct? If so, can someone point me to an MS document that discusses this? I’ve looked and haven’t been able to find anything. I am aware that you can force Kerberos to use TCP: https://support.microsoft.com/en-us/kb/244474 But that isn’t what he is talking about. Thanks Christopher Bodnar Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459<tel:610-807-6459> 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com<mailto:christopher_bod...@glic.com> The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.