This is a static archive of our old Q&A Site. Please post any new questions and answers at



anyone ever have this error on wireshark ? KRB Error : KRB5KRB_ERR_RESPONSE_TOO_BIG

I get this error when I run a SPAN session to port that has attached a Scanner which authenticate to a DC and somebody tries to authenticate and they receive a Authentication Error and I get this throug wireshark via SPAN.

asked 25 Nov '15, 15:31

rloyd808's gravatar image

accept rate: 0%

edited 20 Jul '16, 15:46

cmaynard's gravatar image

cmaynard ♦♦

One Answer:


KRB5KRB_ERR_RESPONSE_TOO_BIG is a sign that UDP is being used for Kerberos (normal and default) and a single UDP frame is not large enough to transmit the full Kerberos ticket. This can happen if a user is in a very large number of AD groups. The involved component (see the source IP of that frame in your capture file) will then send a KRB5KRB_ERR_RESPONSE_TOO_BIG to inform the 'other side' to use TCP instead. If there are authentication problems, this could mean that switching to TCP did not work or there was no attempt to switch to TCP.

Possible solution: Analyze why TCP was not used and/or reduce the number of group memberships.


answered 26 Nov '15, 08:11

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%