Authentication Using UDP Causes Errors

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Packets sent along the network by using the User Datagram Protocol (UDP) sometimes get lost or fragmented on the way to their destination.

Cause

The UDP protocol can also sometimes cause the "KRB_ERR_RESPONSE_TOO_BIG: Response too big for UDP, retry with TCP" error.

The size of a ticket is too large to be transmitted reliably by means of UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails.

Solution

If this error occurs in a mixed operating systems environment, consult your vendor-specific documentation to upgrade the UNIX KDCs to the latest MIT distribution of the Kerberos protocol, which supports TCP connections if UDP fails.

For information about forcing Kerberos to use TCP, see How to Force Kerberos to Use TCP Instead of UDP on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=23043).

Cause

By default, Kerberos authentication uses UDP to transmit its data. UDP provides no guarantee that a packet sent along the network will reach its destination intact. Thus, in environments with a high amount of network congestion it is common for packets to get lost or fragmented on the way to their destination.

If you have discovered the "0x7 - KDC_ERR_S_PRINCIPAL_UNKNOWN: Server not found in Kerberos database" error message and the Service Principal Name (SPN) is set, or if the request failed for an initial TGT (requesting a TGT does not require any SPNs to be set manually), UDP fragmentation might be causing the failure.

If you have discovered the "0x28 - KRB_AP_ERR_MSG_TYPE: Invalid msg type" error message, then UDP is being attempted with User-to-User protocol. User-to-User is an extension of Kerberos authentication that enables secure servers to be run on personal computers.

Solution

Because the only way to decrease the likelihood of UDP fragmentation occurring is to reduce network traffic — a usually impractical solution — it is almost always better to configure the Kerberos authentication service to use TCP instead of UDP. TCP provides a guarantee that a packet that is sent will reach its destination intact and can therefore be used in any network environment.

In order to support the User-to-user extension to the Kerberos protocol you must force Kerberos authentication to use TCP.

For information about forcing Kerberos to use TCP, see How to Force Kerberos to Use TCP Instead of UDP on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=23043).