On 8/2/2010 1:42 AM, Victor Sudakov wrote: > Colleagues, > > Quoting from http://support.microsoft.com/kb/244474/ > By default, Kerberos uses connectionless UDP datagram packets. > Depending on a variety of factors including security identifier (SID) > history and group membership, some accounts will have larger Kerberos > authentication packet sizes. Depending on the virtual private network > (VPN) hardware configuration, these larger packets have to be > fragmented when going through a VPN. The problem is caused by > fragmentation of these large UDP Kerberos packets. Because UDP is a > connectionless protocol, fragmented UDP packets will be dropped if > they arrive at the destination out of order. >
Any VPN that cannot handle UDP fragmentation is broken. Get one that works. Routers need to fragment packets as necessary but that should be transparent to the higher layers. Danny > Quoting from > http://blogs.technet.com/b/askds/archive/2008/03/06/kerberos-for-the-busy-admin.aspx > A common problem is that routers will arbitrarily fragment UDP > packets; when this happens the Kerberos ticket request packets are > discarded by the KDC. > > Please tell me how on earth does the KDC know that the packet has been > fragmented? Packets are fragmented and reassembled on the network > level (IP level), the fragmentation process should be opaque to UDP > and the application, shouldn't it? > > I assume the KDC should just receive data from the socket, no matter > if the datagram was bigger than the MTU, is it correct? > > TIA. > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
