Received error from KDC: -1765328332/Response too big for UDP, retry with TCP

1 users found this article helpful

Applies to:
- Parallels Secure Workspace
Last Review: Nov 6, 2023
Related Articles:
- How to analyze the log files to identify single-sign on (SSO) issues
Available Translations:
Get updates Download

Symptoms

First, see How to analyze the log files to identify single-sign on (SSO) issues .

Single sign-on fails. In awingu-worker-smc.service.log, a similar error can be seen:

2022-04-20 07:35:58.452945 awingu awingu-worker-smc.service[manage.py:2067]: Process-1:3 processing cdsessions.tasks.refresh_sso_certificate [triple-jersey-carolina-white] 2022-04-20 07:35:58.480647 awingu awingu-worker-smc.service[python3:992]: Generating a RSA private key 2022-04-20 07:35:58.574126 awingu awingu-worker-smc.service[python3:992]: ...................................................+++++ 2022-04-20 07:35:58.715677 awingu awingu-worker-smc.service[python3:992]: ......................................................................................................+++++ 2022-04-20 07:35:58.715875 awingu awingu-worker-smc.service[python3:992]: writing new private key to 'private_key.pem' 2022-04-20 07:35:58.715993 awingu awingu-worker-smc.service[python3:992]: ----- 2022-04-20 07:35:58.782389 awingu awingu-worker-smc.service[python3:992]: writing RSA key 2022-04-20 07:36:14.926654 awingu awingu-worker-smc.service[manage.py:2067]: 2022-04-20 07:36:14.927186 awingu awingu-worker-smc.service[manage.py:2067]: Using specified cache: /etc/awingu/domains/AWINGUDOMAIN/a80789f7-4d84-4e31-bf59-a268123a3d2e/kerberos/kerberos_credentials_cache Using principal: someuser\@somedomain.org@SOMEDOMAIN.ORG PA Option X509_user_identity = FILE:/etc/awingu/domains/AWINGUDOMAIN/a80789f7-4d84-4e31-bf59-a268123a3d2e/certificate.pem,/etc/awingu/domains/AWINGUDOMAIN/a80789f7-4d84-4e31-bf59-a268123a3d2e/private_key.pem [21480] 1650440158.788887: Getting initial credentials for someuser\@somedomain.org@SOMEDOMAIN.ORG [21480] 1650440158.788889: Sending unauthenticated request [21480] 1650440158.788890: Sending request (211 bytes) to SOMEDOMAIN.ORG [21480] 1650440158.788891: Resolving hostname somedc.somedomain.org [21480] 1650440158.788892: Sending initial UDP request to dgram 10.1.2.3:88 [21480] 1650440158.788893: Received answer (205 bytes) from dgram 10.1.2.3:88 [21480] 1650440158.788894: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG. [21480] 1650440158.788895: No URI records found [21480] 1650440158.788896: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG. [21480] 1650440158.788897: SRV answer: 0 0 88 "somedc.somedomain.org." [21480] 1650440158.788898: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG. [21480] 1650440158.788899: SRV answer: 0 0 88 "somedc.somedomain.org." [21480] 1650440158.788900: Response was not from master KDC [21480] 1650440158.788901: Received error from KDC: -1765328359/Additional pre-authentication required [21480] 1650440158.788904: Preauthenticating using KDC method data [21480] 1650440158.788905: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) [21480] 1650440158.788906: Selected etype info: etype aes256-cts, salt "SOMEDOMAIN.ORGsomeuser", params "" [21480] 1650440158.788907: PKINIT loading CA certs and CRLs from FILE [21480] 1650440158.788908: PKINIT client computed kdc-req-body checksum 9/E806B715A04F29B42806750A1ABFD6CF386E0C48 [21480] 1650440158.788910: PKINIT client making DH request [21480] 1650440158.788911: Preauth module pkinit (16) (real) returned: 0/Success [21480] 1650440158.788912: Produced preauth for next request: PA-PK-AS-REQ (16) [21480] 1650440158.788913: Sending request (4965 bytes) to SOMEDOMAIN.ORG [21480] 1650440158.788914: Resolving hostname somedc.somedomain.org [21480] 1650440158.788915: Initiating TCP connection to stream 10.1.2.3:88 [21480] 1650440159.864943: Sending initial UDP request to dgram 10.1.2.3:88 [21480] 1650440159.864944: Received answer (106 bytes) from dgram 10.1.2.3:88 [21480] 1650440159.864945: Terminating TCP connection to stream 10.1.2.3:88 [21480] 1650440159.864946: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG. [21480] 1650440159.864947: No URI records found [21480] 1650440159.864948: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG. [21480] 1650440159.864949: SRV answer: 0 0 88 "somedc.somedomain.org." [21480] 1650440159.864950: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG. [21480] 1650440159.864951: SRV answer: 0 0 88 "somedc.somedomain.org." [21480] 1650440159.864952: Response was not from master KDC [21480] 1650440159.864953: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP [21480] 1650440159.864954: Request or response is too big for UDP; retrying with TCP [21480] 1650440159.864955: Sending request (4965 bytes) to SOMEDOMAIN.ORG (tcp only) [21480] 1650440159.864956: Resolving hostname somedc.somedomain.org [21480] 1650440159.864957: Initiating TCP connection to stream 10.1.2.3:88 [21480] 1650440174.925076: Terminating TCP connection to stream 10.1.2.3:88 kinit: Cannot contact any KDC for realm 'SOMEDOMAIN.ORG' while getting initial credentials

Cause

The appliance is unable to connect one or more of the specified Kerberos Domain Controller(s).

Resolution

Fix network connectivity to Kerberos Domain Controller(s) (KDC). This could be a routing or firewall issue.
Also see: How to perform a port scan (tcpscan/udpscan)

Was this article helpful?

Tell us how we can improve it.