I have an ASA 5510 connecting multiple networks to a DSL modem. Two of these networks use Kerberos for authentication. Authentication works on both networks except for one user - me. I have the same logon name on both AD domains (they are completely seperate domains) and when I try to authenticate, it fails. I tried testing the servers in ASDM and authentication works for other users, just not my account. I tried setting up a user account with a logon name exactly the same as mine but with one letter changed and gave that user the exact same group memberships as me and that test account works.
To further diagnose this problem, I put a packet sniffer on the authentication servers. The authentication process is as follows:
1. The ASA sends an authentication request UDP packet
2. The AD server responds with a request for preauthorization UDP packet
3. The ASA sends a preauthorization request UDP packet
4. The server responds with Kerberos code 52 which is a "response too big" error UDP packet
No further messages are sent.
For every other user, two UDP packets - fragments - are sent back containing the Kerberos ticket instead of the error code 52 message.
Has anyone seen this problem before and do they know how to fix it?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...