How to solve KRB_ERR_RESPONSE_TOO_BIG error at Server 2022 AD

Question

Hi All,

I'm a programmer, one of my customers needs to upgrade From Windows AD Server 2016 to 2022.

I have a program use UDP to authenticate AD Kerberos account/password, It works fine at Server 2016.

but get 【KRB_ERR_RESPONSE_TOO_BIG error】 when upgrade to Server 2022.

I tried Below methods, but all fail.

1.Force Kerberos to use TCP instead of UDP

ConnectSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

AD RST

Wireshark see below:

Client_IP AD_IP TCP 306 1087 → 88 [PSH, ACK] Seq=1 Ack=1 Win=65536 Len=252 [TCP segment of a reassembled PDU]

AD_IP Client_IP TCP 60 88 → 1087 [RST, ACK] Seq=1 Ack=253 Win=0 Len=0

2.set MaxDatagramReplySize to 65535 and still receive the KRB_ERR_RESPONSE_TOO_BIG error

3.increasing the value of MaxPacketSize and still receive the KRB_ERR_RESPONSE_TOO_BIG error

Any other solutions?

Thanks in advance.

Answer 1

Hello there,

The "KRB_ERR_RESPONSE_TOO_BIG" error is related to the Kerberos authentication protocol and indicates that the response from the server is too large to fit in a single UDP packet, causing it to be dropped. This error can occur in various scenarios, and it typically arises when the Kerberos authentication response exceeds the maximum UDP packet size (usually around 4096 bytes). In some cases, this issue can be encountered on Windows Server 2022 Active Directory environments.

To resolve the "KRB_ERR_RESPONSE_TOO_BIG" error, you can try the following steps:

Check the Network Configuration:

Ensure that there are no network-related issues, such as high latency, packet loss, or bandwidth limitations that might be causing the UDP packet to be dropped or fragmented.

Verify that all relevant ports for Kerberos authentication (usually UDP port 88) are open and not blocked by firewalls or routers.

Increase the MaxTokenSize:

The Kerberos MaxTokenSize setting determines the maximum size of the Kerberos ticket that can be issued. If the default value is too small for your environment, you might encounter this error.

On the domain controllers, open the Group Policy Management Console (GPMC) and navigate to the Default Domain Controllers Policy (or any other applicable policy).

Edit the policy, go to "Computer Configuration" > "Policies" > "Windows Settings" > "Security Settings" > "Local Policies" > "Security Options".

Look for the setting "Kerberos MaxTokenSize for delegation" and increase its value. A common recommendation is to set it to 48000 or higher.

Force a Group Policy update on the domain controllers by running the command: gpupdate /force.

I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer--