KRB_ERR_RESPONSE_TOO_BIG: Response too big for UDP; retry with TCP

[b0bi79]

Version Kerberos.NET: 4.6.131
Runtime: Linux.
Participants:

• Service_1 - our service, running under a local account.
• Service_2 - an external service accessed by Service_1. Service login is via Kerberos.
• Apache - a web server that forwards requests from Service_1 to Service_2, running in proxy mode. It is located on the same server as Service_2.
• TPN_user - the account used to log in to Service_2. Constrained delegation is configured.
• SPN - the service account associated with the TPN_user.

Actions:

1. Service_1 logs in under the TPN account.
2. A Delegated Service Ticket is requested for Service_2.
3. With the received ticket, a request is made to Service_2.

	var krb5Config = Krb5Config.Default();
	var kerbCred = new KerberosPasswordCredential(login, password, domain)
			{ Configuration = Krb5Config.Default() };

	var client = new KerberosClient(logger: factory, transports: transports);
	DnsQuery.RegisterImplementation(new PortableDnsImplementation());

	client.PinKdc(domain, kdc);
	client.RenewTickets = true;
	client.Configuration.Defaults.AllowWeakCrypto = false;
	
	await client.Authenticate(kerbCred);

	var ticket = await client.GetServiceTicket(spn);

	var authenticator = new KerberosAuthenticator(login, new KeyTable(kerbCred.CreateKey()), client.Configuration, factory);

	var delegated = GetHTTPServiceSPN(url);
	var identity = await authenticator.Authenticate(ticket.ApReq.EncodeGssApi()) as KerberosIdentity;

	var delegatedTicket = await identity.GetDelegatedServiceTicket(delegated);

	log.LogTrace("Negotiate: " + Convert.ToBase64String(delegatedTicket.ApReq.EncodeGssApi().ToArray()));

Issue:
KRB_ERR_RESPONSE_TOO_BIG: Response too big for UDP.
Floating error. Sometimes we get an error, sometimes we don't.

Kerberos authenticate TPN_user to 'DOMAIN.LOCAL'.
2025-11-05 18:01:46.0117|TRACE|Kerberos.NET.Client.KerberosClient|Attempting AS-REQ. UserName = TPN_user; Domain = DOMAIN.LOCAL; Nonce = 855942410
2025-11-05 18:01:46.2145|DEBUG|Kerberos.NET.Client.KerberosClient|AS-REP PA-Data: EType = AES256_CTS_HMAC_SHA1_96; Salt = DOMAIN.LOCALTPN_user;
2025-11-05 18:01:46.2691|TRACE|Kerberos.NET.Client.KerberosClient|Attempting AS-REQ. UserName = TPN_user; Domain = DOMAIN.LOCAL; Nonce = 316194820
2025-11-05 18:01:46.3168|DEBUG|Kerberos.NET.Client.KerberosClient|EncPart expected to be KrbEncAsRepPart and is actually KrbEncAsRepPart
2025-11-05 18:01:46.3213|TRACE|Kerberos.NET.TicketCacheBase|Caching ticket until 11/06/2025 01:01:46 +00:00 for kerberos--krbtgt/DOMAIN.local with renewal option until 11/06/2025 15:01:46 +00:00

Request service ticket to HTTP/ny99-tsa-eap1t.DOMAIN.local.
2025-11-05 18:01:46.3984|INFO|Kerberos.NET.Client.KerberosClient|Cache did not contain a valid ticket for HTTP/ny99-tsa-eap1t.DOMAIN.local
2025-11-05 18:01:46.4010|INFO|Kerberos.NET.Client.KerberosClient|Using TGT from DOMAIN.LOCAL to krbtgt/DOMAIN.LOCAL
2025-11-05 18:01:46.4010|INFO|Kerberos.NET.Client.KerberosClient|Requesting TGS for HTTP/ny99-tsa-eap1t.DOMAIN.local; TGT Realm = DOMAIN.LOCAL; TGT Service = krbtgt/DOMAIN.LOCAL; S4U = (null); S4UTicket = (null); KDC Flags = RenewableOk, Canonicalize, Renewable, Forwardable
2025-11-05 18:01:46.4197|DEBUG|Kerberos.NET.Client.KerberosClient|TGT EType = AES256_CTS_HMAC_SHA1_96; TGS Session Key = AES256_CTS_HMAC_SHA1_96; PAData = PA_TGS_REQ, PA_PAC_OPTIONS
2025-11-05 18:01:46.4592|INFO|Kerberos.NET.Client.KerberosClient|TGS-REP for HTTP/ny99-tsa-eap1t.DOMAIN.local; CName = TPN_user; CRealm = DOMAIN.LOCAL; PAData = (null)
2025-11-05 18:01:46.4613|INFO|Kerberos.NET.Client.KerberosClient|A ticket was retrieved for HTTP/ny99-tsa-eap1t.DOMAIN.local
2025-11-05 18:01:46.4613|TRACE|Kerberos.NET.TicketCacheBase|Caching ticket until 11/06/2025 01:01:46 +00:00 for kerberos--http/ny99-tsa-eap1t.DOMAIN.local with renewal option until 11/06/2025 15:01:46 +00:00

Authenticate ticket to HTTP/ny99-tsa-eap1t.DOMAIN.local.
2025-11-05 18:01:46.4879|TRACE|Kerberos.NET.KerberosValidator|Validating Kerberos request NegTokenInit Oid: ;
2025-11-05 18:01:46.4982|TRACE|Kerberos.NET.KerberosValidator|Kerberos request decrypted HTTP/ny99-tsa-eap1t.DOMAIN.local
2025-11-05 18:01:46.5063|TRACE|Kerberos.NET.TicketCacheBase|Caching ticket until 11/06/2025 01:01:46 +00:00 for kerberos-e32faf1b9661a1f59e2df625c1292208dfefdc54255cea975ac2aa9c2a4724bd-ca8ac40192c850d0f2bba90d50a943f259b5d0433af6d8931e3b2d401ee057ef with renewal option until (null)

Get delegated service ticket to HTTP/prs99-ntc-1c01t.DOMAIN.local.
2025-11-05 18:01:46.5466|INFO|Kerberos.NET.Client.KerberosClient|Cache did not contain a valid ticket for HTTP/prs99-ntc-1c01t.DOMAIN.local
2025-11-05 18:01:46.5466|TRACE|Kerberos.NET.Client.KerberosClient|Attempting AS-REQ. UserName = TPN_user; Domain = DOMAIN.LOCAL; Nonce = 524952096
2025-11-05 18:01:46.5523|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:01:46.5694|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to ny27-dc01.DOMAIN.local. on port 88
2025-11-05 18:01:48.5774|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:01:48.5830|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to ny98-dc01.DOMAIN.local. on port 88
2025-11-05 18:01:50.5839|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:01:50.5905|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to ca09-dc01.DOMAIN.local. on port 88
2025-11-05 18:01:52.5906|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:01:52.5985|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to al19-dc01.DOMAIN.local. on port 88
2025-11-05 18:01:54.5990|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:01:54.6041|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to prs99-dc02.DOMAIN.local. on port 88
2025-11-05 18:01:54.6416|DEBUG|Kerberos.NET.Transport.TcpKerberosTransport|TCP connected to prs99-dc02.DOMAIN.local. on port 88
2025-11-05 18:01:54.6790|DEBUG|Kerberos.NET.Client.KerberosClient|AS-REP PA-Data: EType = AES256_CTS_HMAC_SHA1_96; Salt = DOMAIN.LOCALTPN_user;
2025-11-05 18:01:54.6790|TRACE|Kerberos.NET.Client.KerberosClient|Attempting AS-REQ. UserName = TPN_user; Domain = DOMAIN.LOCAL; Nonce = 1879876668
2025-11-05 18:01:54.6790|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:01:54.6878|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to tsk01-dc01.DOMAIN.local. on port 88
2025-11-05 18:01:56.6850|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:01:56.6921|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to rsa02-dc01.DOMAIN.local. on port 88
2025-11-05 18:01:58.6925|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:01:58.6976|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to wsh10-dc01.DOMAIN.local. on port 88
2025-11-05 18:02:00.6981|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:02:00.7081|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to ny99-tc-dc01.DOMAIN.local. on port 88
2025-11-05 18:02:02.7074|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:02:02.7287|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to op01-dc01.DOMAIN.local. on port 88
2025-11-05 18:02:04.7298|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:02:04.7380|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to al31-dc01.DOMAIN.local. on port 88
2025-11-05 18:02:06.7386|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:02:06.7549|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to nbk01-dc02.DOMAIN.local. on port 88
2025-11-05 18:02:08.7556|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:02:08.7698|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to ls01-dc02.DOMAIN.local. on port 88
2025-11-05 18:02:10.7707|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:02:10.7833|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to nt01-dc03.DOMAIN.local. on port 88
2025-11-05 18:02:12.7839|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:02:12.7919|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to al01-dc02.DOMAIN.local. on port 88
2025-11-05 18:02:14.7979|DEBUG|Kerberos.NET.Transport.TcpKerberosTransport|TCP Socket exception during Connect TimedOut|System.Net.Sockets.SocketException (110): Connection timed out
   at Kerberos.NET.Transport.TcpKerberosTransport.GetClient(String domain) in D:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 119
   at Kerberos.NET.Transport.TcpKerberosTransport.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 55
2025-11-05 18:02:14.8204|DEBUG|Kerberos.NET.Transport.KerberosTransportSelector|Transport TcpKerberosTransport failed connecting to DOMAIN.LOCAL so moving on to next transporter
2025-11-05 18:02:14.8229|DEBUG|Kerberos.NET.Transport.KerberosTransportSelector|Transport UdpKerberosTransport failed connecting to DOMAIN.LOCAL so moving on to next transporter
2025-11-05 18:02:14.8292|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._https.DOMAIN.LOCAL
2025-11-05 18:02:14.8468|DEBUG|Kerberos.NET.Transport.ClientDomainService|DNS failed _kerberos._https.DOMAIN.LOCAL so negative caching
2025-11-05 18:02:14.8490|DEBUG|Kerberos.NET.Transport.KerberosTransportSelector|Transport HttpsKerberosTransport failed connecting to DOMAIN.LOCAL so moving on to next transporter
System.AggregateException: One or more errors occurred. (TCP Connect failed) (KDC KRB_ERR_RESPONSE_TOO_BIG: Response too big for UDP; retry with TCP) (Cannot locate a KDC Proxy endpoint for DOMAIN.LOCAL)
 ---> Kerberos.NET.Transport.KerberosTransportException: TCP Connect failed
 ---> System.Net.Sockets.SocketException (110): Connection timed out
   at Kerberos.NET.Transport.TcpKerberosTransport.GetClient(String domain) in D:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 119
   at Kerberos.NET.Transport.TcpKerberosTransport.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 55
   --- End of inner exception stack trace ---
   at Kerberos.NET.Transport.TcpKerberosTransport.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 68
   at Kerberos.NET.Transport.KerberosTransportSelector.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation)
   --- End of inner exception stack trace ---
   at Kerberos.NET.Transport.KerberosTransportSelector.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\Transport\KerberosTransportSelector.cs:line 86
   at Kerberos.NET.Client.KerberosClient.RequestTgt(KerberosCredential credential) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 1205
   at Kerberos.NET.Client.KerberosClient.AuthenticateCredential(KerberosCredential credential) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 374
   at Kerberos.NET.Client.KerberosClient.Authenticate(KerberosCredential credential) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 357
   at Kerberos.NET.S4UProvider.GetServiceTicket(RequestServiceTicket rst, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\S4UProvider.cs:line 50
   at Kerberos.NET.KerberosIdentity.GetDelegatedServiceTicket(RequestServiceTicket rst, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\KerberosIdentity.cs:line 97
   at Kerberos.NET.KerberosIdentity.GetDelegatedServiceTicket(String spn) in D:\a\1\s\Kerberos.NET\KerberosIdentity.cs:line 76
   at KrbTest.Program.Main(String[] args) in D:\Projects\Tests\KrbTest\Program.cs:line 124
 ---> (Inner Exception #1) Kerberos.NET.Transport.KerberosTransportException: KDC KRB_ERR_RESPONSE_TOO_BIG: Response too big for UDP; retry with TCP
   at Kerberos.NET.Transport.UdpKerberosTransport.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\Transport\UdpKerberosTransport.cs:line 39
   at Kerberos.NET.Transport.KerberosTransportSelector.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation)<---

 ---> (Inner Exception #2) Kerberos.NET.Transport.KerberosTransportException: Cannot locate a KDC Proxy endpoint for DOMAIN.LOCAL
   at Kerberos.NET.Transport.HttpsKerberosTransport.SendMessage[T](String domain, ReadOnlyMemory`1 req, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\Transport\HttpsKerberosTransport.cs:line 56
   at Kerberos.NET.Transport.KerberosTransportSelector.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation)<---

[b0bi79]

I figured it out. S4UProviderFactory creates a new KerberosClient, which doesn't carry over the original client's settings.

My original client had settings in its transport, without which sending wouldn't work. identity.GetDelegatedServiceTicket creates a new client without carrying over the transports from the original client.

[SteveSyfuhs]

I figured it out. S4UProviderFactory creates a new KerberosClient, which doesn't carry over the original client's settings.

My original client had settings in its transport, without which sending wouldn't work. identity.GetDelegatedServiceTicket creates a new client without carrying over the transports from the original client.

Good find. That should be easy enough to plumb the original configuration through.