Kerberos.NET
Kerberos.NET copied to clipboard
dotnet
KRB_ERR_RESPONSE_TOO_BIG: Response too big for UDP; retry with TCP
Version Kerberos.NET: 4.6.131 Runtime: Linux. Participants:
- Service_1 - our service, running under a local account.
- Service_2 - an external service accessed by Service_1. Service login is via Kerberos.
- Apache - a web server that forwards requests from Service_1 to Service_2, running in proxy mode. It is located on the same server as Service_2.
- TPN_user - the account used to log in to Service_2. Constrained delegation is configured.
- SPN - the service account associated with the TPN_user.
Actions:
- Service_1 logs in under the TPN account.
- A Delegated Service Ticket is requested for Service_2.
- With the received ticket, a request is made to Service_2.
var krb5Config = Krb5Config.Default();
var kerbCred = new KerberosPasswordCredential(login, password, domain)
{ Configuration = Krb5Config.Default() };
var client = new KerberosClient(logger: factory, transports: transports);
DnsQuery.RegisterImplementation(new PortableDnsImplementation());
client.PinKdc(domain, kdc);
client.RenewTickets = true;
client.Configuration.Defaults.AllowWeakCrypto = false;
await client.Authenticate(kerbCred);
var ticket = await client.GetServiceTicket(spn);
var authenticator = new KerberosAuthenticator(login, new KeyTable(kerbCred.CreateKey()), client.Configuration, factory);
var delegated = GetHTTPServiceSPN(url);
var identity = await authenticator.Authenticate(ticket.ApReq.EncodeGssApi()) as KerberosIdentity;
var delegatedTicket = await identity.GetDelegatedServiceTicket(delegated);
log.LogTrace("Negotiate: " + Convert.ToBase64String(delegatedTicket.ApReq.EncodeGssApi().ToArray()));
Issue: KRB_ERR_RESPONSE_TOO_BIG: Response too big for UDP. Floating error. Sometimes we get an error, sometimes we don't.
Kerberos authenticate TPN_user to 'DOMAIN.LOCAL'.
2025-11-05 18:01:46.0117|TRACE|Kerberos.NET.Client.KerberosClient|Attempting AS-REQ. UserName = TPN_user; Domain = DOMAIN.LOCAL; Nonce = 855942410
2025-11-05 18:01:46.2145|DEBUG|Kerberos.NET.Client.KerberosClient|AS-REP PA-Data: EType = AES256_CTS_HMAC_SHA1_96; Salt = DOMAIN.LOCALTPN_user;
2025-11-05 18:01:46.2691|TRACE|Kerberos.NET.Client.KerberosClient|Attempting AS-REQ. UserName = TPN_user; Domain = DOMAIN.LOCAL; Nonce = 316194820
2025-11-05 18:01:46.3168|DEBUG|Kerberos.NET.Client.KerberosClient|EncPart expected to be KrbEncAsRepPart and is actually KrbEncAsRepPart
2025-11-05 18:01:46.3213|TRACE|Kerberos.NET.TicketCacheBase|Caching ticket until 11/06/2025 01:01:46 +00:00 for kerberos--krbtgt/DOMAIN.local with renewal option until 11/06/2025 15:01:46 +00:00
Request service ticket to HTTP/ny99-tsa-eap1t.DOMAIN.local.
2025-11-05 18:01:46.3984|INFO|Kerberos.NET.Client.KerberosClient|Cache did not contain a valid ticket for HTTP/ny99-tsa-eap1t.DOMAIN.local
2025-11-05 18:01:46.4010|INFO|Kerberos.NET.Client.KerberosClient|Using TGT from DOMAIN.LOCAL to krbtgt/DOMAIN.LOCAL
2025-11-05 18:01:46.4010|INFO|Kerberos.NET.Client.KerberosClient|Requesting TGS for HTTP/ny99-tsa-eap1t.DOMAIN.local; TGT Realm = DOMAIN.LOCAL; TGT Service = krbtgt/DOMAIN.LOCAL; S4U = (null); S4UTicket = (null); KDC Flags = RenewableOk, Canonicalize, Renewable, Forwardable
2025-11-05 18:01:46.4197|DEBUG|Kerberos.NET.Client.KerberosClient|TGT EType = AES256_CTS_HMAC_SHA1_96; TGS Session Key = AES256_CTS_HMAC_SHA1_96; PAData = PA_TGS_REQ, PA_PAC_OPTIONS
2025-11-05 18:01:46.4592|INFO|Kerberos.NET.Client.KerberosClient|TGS-REP for HTTP/ny99-tsa-eap1t.DOMAIN.local; CName = TPN_user; CRealm = DOMAIN.LOCAL; PAData = (null)
2025-11-05 18:01:46.4613|INFO|Kerberos.NET.Client.KerberosClient|A ticket was retrieved for HTTP/ny99-tsa-eap1t.DOMAIN.local
2025-11-05 18:01:46.4613|TRACE|Kerberos.NET.TicketCacheBase|Caching ticket until 11/06/2025 01:01:46 +00:00 for kerberos--http/ny99-tsa-eap1t.DOMAIN.local with renewal option until 11/06/2025 15:01:46 +00:00
Authenticate ticket to HTTP/ny99-tsa-eap1t.DOMAIN.local.
2025-11-05 18:01:46.4879|TRACE|Kerberos.NET.KerberosValidator|Validating Kerberos request NegTokenInit Oid: ;
2025-11-05 18:01:46.4982|TRACE|Kerberos.NET.KerberosValidator|Kerberos request decrypted HTTP/ny99-tsa-eap1t.DOMAIN.local
2025-11-05 18:01:46.5063|TRACE|Kerberos.NET.TicketCacheBase|Caching ticket until 11/06/2025 01:01:46 +00:00 for kerberos-e32faf1b9661a1f59e2df625c1292208dfefdc54255cea975ac2aa9c2a4724bd-ca8ac40192c850d0f2bba90d50a943f259b5d0433af6d8931e3b2d401ee057ef with renewal option until (null)
Get delegated service ticket to HTTP/prs99-ntc-1c01t.DOMAIN.local.
2025-11-05 18:01:46.5466|INFO|Kerberos.NET.Client.KerberosClient|Cache did not contain a valid ticket for HTTP/prs99-ntc-1c01t.DOMAIN.local
2025-11-05 18:01:46.5466|TRACE|Kerberos.NET.Client.KerberosClient|Attempting AS-REQ. UserName = TPN_user; Domain = DOMAIN.LOCAL; Nonce = 524952096
2025-11-05 18:01:46.5523|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:01:46.5694|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to ny27-dc01.DOMAIN.local. on port 88
2025-11-05 18:01:48.5774|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:01:48.5830|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to ny98-dc01.DOMAIN.local. on port 88
2025-11-05 18:01:50.5839|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:01:50.5905|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to ca09-dc01.DOMAIN.local. on port 88
2025-11-05 18:01:52.5906|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:01:52.5985|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to al19-dc01.DOMAIN.local. on port 88
2025-11-05 18:01:54.5990|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:01:54.6041|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to prs99-dc02.DOMAIN.local. on port 88
2025-11-05 18:01:54.6416|DEBUG|Kerberos.NET.Transport.TcpKerberosTransport|TCP connected to prs99-dc02.DOMAIN.local. on port 88
2025-11-05 18:01:54.6790|DEBUG|Kerberos.NET.Client.KerberosClient|AS-REP PA-Data: EType = AES256_CTS_HMAC_SHA1_96; Salt = DOMAIN.LOCALTPN_user;
2025-11-05 18:01:54.6790|TRACE|Kerberos.NET.Client.KerberosClient|Attempting AS-REQ. UserName = TPN_user; Domain = DOMAIN.LOCAL; Nonce = 1879876668
2025-11-05 18:01:54.6790|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:01:54.6878|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to tsk01-dc01.DOMAIN.local. on port 88
2025-11-05 18:01:56.6850|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:01:56.6921|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to rsa02-dc01.DOMAIN.local. on port 88
2025-11-05 18:01:58.6925|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:01:58.6976|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to wsh10-dc01.DOMAIN.local. on port 88
2025-11-05 18:02:00.6981|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:02:00.7081|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to ny99-tc-dc01.DOMAIN.local. on port 88
2025-11-05 18:02:02.7074|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:02:02.7287|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to op01-dc01.DOMAIN.local. on port 88
2025-11-05 18:02:04.7298|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:02:04.7380|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to al31-dc01.DOMAIN.local. on port 88
2025-11-05 18:02:06.7386|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:02:06.7549|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to nbk01-dc02.DOMAIN.local. on port 88
2025-11-05 18:02:08.7556|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:02:08.7698|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to ls01-dc02.DOMAIN.local. on port 88
2025-11-05 18:02:10.7707|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:02:10.7833|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to nt01-dc03.DOMAIN.local. on port 88
2025-11-05 18:02:12.7839|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._tcp.DOMAIN.LOCAL
2025-11-05 18:02:12.7919|TRACE|Kerberos.NET.Transport.TcpKerberosTransport|TCP connecting to al01-dc02.DOMAIN.local. on port 88
2025-11-05 18:02:14.7979|DEBUG|Kerberos.NET.Transport.TcpKerberosTransport|TCP Socket exception during Connect TimedOut|System.Net.Sockets.SocketException (110): Connection timed out
at Kerberos.NET.Transport.TcpKerberosTransport.GetClient(String domain) in D:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 119
at Kerberos.NET.Transport.TcpKerberosTransport.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 55
2025-11-05 18:02:14.8204|DEBUG|Kerberos.NET.Transport.KerberosTransportSelector|Transport TcpKerberosTransport failed connecting to DOMAIN.LOCAL so moving on to next transporter
2025-11-05 18:02:14.8229|DEBUG|Kerberos.NET.Transport.KerberosTransportSelector|Transport UdpKerberosTransport failed connecting to DOMAIN.LOCAL so moving on to next transporter
2025-11-05 18:02:14.8292|DEBUG|Kerberos.NET.Transport.ClientDomainService|Querying DNS _kerberos._https.DOMAIN.LOCAL
2025-11-05 18:02:14.8468|DEBUG|Kerberos.NET.Transport.ClientDomainService|DNS failed _kerberos._https.DOMAIN.LOCAL so negative caching
2025-11-05 18:02:14.8490|DEBUG|Kerberos.NET.Transport.KerberosTransportSelector|Transport HttpsKerberosTransport failed connecting to DOMAIN.LOCAL so moving on to next transporter
System.AggregateException: One or more errors occurred. (TCP Connect failed) (KDC KRB_ERR_RESPONSE_TOO_BIG: Response too big for UDP; retry with TCP) (Cannot locate a KDC Proxy endpoint for DOMAIN.LOCAL)
---> Kerberos.NET.Transport.KerberosTransportException: TCP Connect failed
---> System.Net.Sockets.SocketException (110): Connection timed out
at Kerberos.NET.Transport.TcpKerberosTransport.GetClient(String domain) in D:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 119
at Kerberos.NET.Transport.TcpKerberosTransport.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 55
--- End of inner exception stack trace ---
at Kerberos.NET.Transport.TcpKerberosTransport.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 68
at Kerberos.NET.Transport.KerberosTransportSelector.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation)
--- End of inner exception stack trace ---
at Kerberos.NET.Transport.KerberosTransportSelector.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\Transport\KerberosTransportSelector.cs:line 86
at Kerberos.NET.Client.KerberosClient.RequestTgt(KerberosCredential credential) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 1205
at Kerberos.NET.Client.KerberosClient.AuthenticateCredential(KerberosCredential credential) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 374
at Kerberos.NET.Client.KerberosClient.Authenticate(KerberosCredential credential) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 357
at Kerberos.NET.S4UProvider.GetServiceTicket(RequestServiceTicket rst, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\S4UProvider.cs:line 50
at Kerberos.NET.KerberosIdentity.GetDelegatedServiceTicket(RequestServiceTicket rst, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\KerberosIdentity.cs:line 97
at Kerberos.NET.KerberosIdentity.GetDelegatedServiceTicket(String spn) in D:\a\1\s\Kerberos.NET\KerberosIdentity.cs:line 76
at KrbTest.Program.Main(String[] args) in D:\Projects\Tests\KrbTest\Program.cs:line 124
---> (Inner Exception #1) Kerberos.NET.Transport.KerberosTransportException: KDC KRB_ERR_RESPONSE_TOO_BIG: Response too big for UDP; retry with TCP
at Kerberos.NET.Transport.UdpKerberosTransport.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\Transport\UdpKerberosTransport.cs:line 39
at Kerberos.NET.Transport.KerberosTransportSelector.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation)<---
---> (Inner Exception #2) Kerberos.NET.Transport.KerberosTransportException: Cannot locate a KDC Proxy endpoint for DOMAIN.LOCAL
at Kerberos.NET.Transport.HttpsKerberosTransport.SendMessage[T](String domain, ReadOnlyMemory`1 req, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\Transport\HttpsKerberosTransport.cs:line 56
at Kerberos.NET.Transport.KerberosTransportSelector.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation)<---
