This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

anyone ever have this error on wireshark ? KRB Error : KRB5KRB_ERR_RESPONSE_TOO_BIG

I get this error when I run a SPAN session to port that has attached a Scanner which authenticate to a DC and somebody tries to authenticate and they receive a Authentication Error and I get this throug wireshark via SPAN.

asked 25 Nov '15, 15:31

rloyd808's gravatar image

rloyd808
6112
accept rate: 0%

edited 20 Jul '16, 15:46

cmaynard's gravatar image

cmaynard ♦♦
9.3k1038142


KRB5KRB_ERR_RESPONSE_TOO_BIG is a sign that UDP is being used for Kerberos (normal and default) and a single UDP frame is not large enough to transmit the full Kerberos ticket. This can happen if a user is in a very large number of AD groups. The involved component (see the source IP of that frame in your capture file) will then send a KRB5KRB_ERR_RESPONSE_TOO_BIG to inform the 'other side' to use TCP instead. If there are authentication problems, this could mean that switching to TCP did not work or there was no attempt to switch to TCP.

Possible solution: Analyze why TCP was not used and/or reduce the number of group memberships.

Regards
Kurt

permanent link

answered 26 Nov '15, 08:11

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×193
×1

question asked: 25 Nov '15, 15:31

question was seen: 4,103 times

last updated: 20 Jul '16, 15:46

p​o​w​e​r​e​d by O​S​Q​A