anyone ever have this error on wireshark ? KRB Error : KRB5KRB_ERR_RESPONSE_TOO_BIG
I get this error when I run a SPAN session to port that has attached a Scanner which authenticate to a DC and somebody tries to authenticate and they receive a Authentication Error and I get this throug wireshark via SPAN.
asked 25 Nov '15, 15:31
edited 20 Jul '16, 15:46
KRB5KRB_ERR_RESPONSE_TOO_BIG is a sign that UDP is being used for Kerberos (normal and default) and a single UDP frame is not large enough to transmit the full Kerberos ticket. This can happen if a user is in a very large number of AD groups. The involved component (see the source IP of that frame in your capture file) will then send a KRB5KRB_ERR_RESPONSE_TOO_BIG to inform the 'other side' to use TCP instead. If there are authentication problems, this could mean that switching to TCP did not work or there was no attempt to switch to TCP.
Possible solution: Analyze why TCP was not used and/or reduce the number of group memberships.
answered 26 Nov '15, 08:11
Kurt Knochner ♦