Receive an error "KRB_ERR_RESPONSE_TOO_BIG" at await client.Authenticate(credential);

See original GitHub issue

Hello!

I am writing DelegatingHandler for HttpClient to get Kerberos ticket and put it to www-authenticate header. And I’ve got some problems. When I request Kerberos ticket I get Exception

               using (var client = new KerberosClient(Krb5Config.Default()))
                {
                    var keyTable = new KeyTable(
                        _webEnv.ContentRootFileProvider.GetFileInfo(
                            "<keytab file name>").CreateReadStream());

                    var credential = 
                        new KeytabCredential("<account name>", 
                                keyTable, "<domain name>");
                    client.Configuration.Realms["<domain name>"].Kdc.Add("<server name>:88");

                    client.Configuration.Defaults.DefaultRealm = "<domain name>";
                    client.Configuration.DomainRealm.Add("<domain name>", "<domain name>");
                    client.Configuration.Defaults.DnsLookupKdc = false;

                    await client.Authenticate(credential); //exception occurs here
                    KrbApReq ticket = await client.GetServiceTicket("<spn name>");
                    wwwAuthValueAuth 
                        = Negotiate + Convert.ToBase64String(ticket.EncodeGssApi().Span);
                }

                request.Headers.Add(HeaderNames.WWWAuthenticate, wwwAuthValueAuth);

Exception StackTrace:

System.AggregateException: One or more errors occurred. (Cannot locate SRV record for RAIFFEISEN.RU) (KRB_ERR_RESPONSE_TOO_BIG: Response too big for UDP; retry with TCP) (Cannot locate a KDC Proxy endpoint for RAIFFEISEN.RU)
 ---> Kerberos.NET.Transport.KerberosTransportException: Cannot locate SRV record for RAIFFEISEN.RU
   at Kerberos.NET.Transport.KerberosTransportBase.LocatePreferredKdc(String domain, String servicePrefix) in D:\a\1\s\Kerberos.NET\Client\Transport\KerberosTransportBase.cs:line 130
   at Kerberos.NET.Transport.TcpKerberosTransport.GetClient(String domain) in D:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 77
   at Kerberos.NET.Transport.TcpKerberosTransport.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\Transport\TcpKerberosTransport.cs:line 53
   at Kerberos.NET.Transport.KerberosTransportSelector.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation)
   --- End of inner exception stack trace ---
   at Kerberos.NET.Transport.KerberosTransportSelector.SendMessage[T](String domain, ReadOnlyMemory`1 encoded, CancellationToken cancellation) in D:\a\1\s\Kerberos.NET\Client\Transport\KerberosTransportSelector.cs:line 86
   at Kerberos.NET.Client.KerberosClient.RequestTgt(KerberosCredential credential) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 1009
   at Kerberos.NET.Client.KerberosClient.AuthenticateCredential(KerberosCredential credential) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 345
   at Kerberos.NET.Client.KerberosClient.Authenticate(KerberosCredential credential) in D:\a\1\s\Kerberos.NET\Client\KerberosClient.cs:line 328

Could you explain why this happens and how I can resolve it?

Thank you!

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:7

github_iconTop GitHub Comments

1reaction
daniilzaonegincommented, Apr 6, 2021

😃 thank you! After dropping port, I got kerberos ticket! But now my api server returns http-401. I look into that tomorrow, but this is another issue. It could be, that I need keytab file for another SPN.

0reactions
SteveSyfuhscommented, Apr 6, 2021

Also, the way you’ve written the code will in fact guarantee it never tries DNS, it just happens that the errors raised are identical if it can’t find the SRV record by DNS or by config.

Read more comments on GitHub >

github_iconTop Results From Across the Web

javascript - Uncaught error using try-catch with async/await ...
I'm creating a change password form using react/redux and Firebase auth. When the user enters their new password they need to enter their ......
Read more >
azure-sdk-for-js/sdk/identity/identity/TROUBLESHOOTING. ...
AuthenticationRequiredError is thrown when unexpected errors occurred while a credential is authenticating. This can include errors received from requests ...
Read more >
Database session + Credentials login · nextauthjs next-auth
Right now when I send a post request to /api/auth/signin I am getting the error that says I have to use jwt for...
Read more >
"Unable to authenticate your credentials" error when you ...
Describes an issue that triggers an Unable to authenticate your credentials. Make sure that your user name is in the format @ error....
Read more >
Solved: We couldn't authenticate with the credentials prov...
You may need to change credential, go to “File –> Options and Settings –> Data Source Settings”, under “Global permissions”, select old SQL...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found