Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Kerberos problems with ASA 5510

I have an ASA 5510 connecting multiple networks to a DSL modem. Two of these networks use Kerberos for authentication. Authentication works on both networks except for one user - me. I have the same logon name on both AD domains (they are completely seperate domains) and when I try to authenticate, it fails. I tried testing the servers in ASDM and authentication works for other users, just not my account. I tried setting up a user account with a logon name exactly the same as mine but with one letter changed and gave that user the exact same group memberships as me and that test account works.

To further diagnose this problem, I put a packet sniffer on the authentication servers. The authentication process is as follows:

1. The ASA sends an authentication request UDP packet

2. The AD server responds with a request for preauthorization UDP packet

3. The ASA sends a preauthorization request UDP packet

4. The server responds with Kerberos code 52 which is a "response too big" error UDP packet

No further messages are sent.

For every other user, two UDP packets - fragments - are sent back containing the Kerberos ticket instead of the error code 52 message.

Has anyone seen this problem before and do they know how to fix it?

559
Views
0
Helpful
0
Replies