I just looked and I can confirm that the client side default is 0 bytes on a Win7+ client for the max packet size to fallback to TCP. The server side default is still 1465 bytes as shown in the screenshot below.
Thanks, Brian Desmond w – 312.625.1438 | c – 312.731.3132 From: [email protected] [mailto:[email protected]] On Behalf Of Christopher Bodnar Sent: Thursday, November 10, 2016 1:40 PM To: [email protected] Subject: RE: [NTSysADM] Kerberos over UDP on Windows 10 and Server 2012 R2 OK, based on this, I think he is correct: I’ve been running a WireShark trace on a few DCs today (2008 domains and 2012 domains), and not seeing any UDP 88 traffic. I did find this: [cid:[email protected]] https://technet.microsoft.com/en-us/library/cc738673(v=ws.10).aspx So basically since Vista, and 2008, if a Kerberos packet is over 1 byte (which will be everything) it will send it as TCP instead of UDP, since this registry key now is part of the operating system. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Kurt Buff Sent: Thursday, November 10, 2016 12:53 PM To: ntsysadm <[email protected]<mailto:[email protected]>> Subject: Re: [NTSysADM] Kerberos over UDP on Windows 10 and Server 2012 R2 I'd ask that colleague where he got the idea. I'm not seeing any documentation on this either. But, I did see this, which is interesting, even if unrelated: http://blogs.msmvps.com/acefekay/2016/11/01/active-directory-flexible-authentication-secure-tunneling-fast/ Kurt On Thu, Nov 10, 2016 at 6:29 AM, Christopher Bodnar <[email protected]<mailto:[email protected]>> wrote: A colleague told me that these operating systems no longer use UDP 88 for Kerberos, that they only use TCP. Is that correct? If so, can someone point me to an MS document that discusses this? I’ve looked and haven’t been able to find anything. I am aware that you can force Kerberos to use TCP: https://support.microsoft.com/en-us/kb/244474 But that isn’t what he is talking about. Thanks Christopher Bodnar Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459<tel:610-807-6459> 3900 Burgess Place, Bethlehem, PA 18017 [email protected]<mailto:[email protected]> The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
