Pittman Daniel E Jr Civ 96 CG/SCTOA wrote:
Hello, I am trying to connect to an AD 2003 server, and am encountering the
following error
com.ibm.security.jgss.i18n.exception.KRBResponseTooBigError
After doing some research, I have found this is related to a problem which
occurs when a UDP packet is too large. UDP seems to be the only connection
protocol supported in IBM's implementation of the Kerberos/JAAS
authentication schemes, could you please verify this information? It would
be very helpful if there were a way to connect to an AD controller via TCP.
I have already tried adding the line udp_preference_limit = 1 to my
krb5.conf file, and it seems to be ignored by the IBM implementation. I
would use the Sun implementation which does now support TCP, but that
solution is also equally filled with problems for me as it does not support
the RC4/HMAC encryption scheme that my current situation is forcing me to
use. Thanks in advance for any help you can provide.
Another option: If the failure is in trying to get a service ticket and the service does not need the PAC (authorizaiton data added to a ticket that is used only by MS applications) then you could mark the service principal so that a PAC is not added to the ticket, and thus the ticket will be small and work with UDP.
See http://support.microsoft.com/?kbid=832572
But the Java should support TCP. The IETF IESG approved on Friday the replacement for RFC-1510. It is awaiting an RFC number. draft-ietf-krb-wg-kerberos-clarifications-07.txt states TCP is required.
Daniel E. Pittman, Jr
96 CG/SCTOA
Phone: (850) 882-5498
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
