Colleagues, Quoting from http://support.microsoft.com/kb/244474/ By default, Kerberos uses connectionless UDP datagram packets. Depending on a variety of factors including security identifier (SID) history and group membership, some accounts will have larger Kerberos authentication packet sizes. Depending on the virtual private network (VPN) hardware configuration, these larger packets have to be fragmented when going through a VPN. The problem is caused by fragmentation of these large UDP Kerberos packets. Because UDP is a connectionless protocol, fragmented UDP packets will be dropped if they arrive at the destination out of order.
Quoting from http://blogs.technet.com/b/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx A common problem is that routers will arbitrarily fragment UDP packets; when this happens the Kerberos ticket request packets are discarded by the KDC. Please tell me how on earth does the KDC know that the packet has been fragmented? Packets are fragmented and reassembled on the network level (IP level), the fragmentation process should be opaque to UDP and the application, shouldn't it? I assume the KDC should just receive data from the socket, no matter if the datagram was bigger than the MTU, is it correct? TIA. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/4...@fidonet http://vas.tomsk.ru/ ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
