Kerberos UDP vs TCP

TheMSsForum.com: The Microsoft Software Forum

Hi everybody
I'm facing some problems with Kerberos authentication using UDP protocol.
As suggested by Microsoft using TCP protocol the problem has been solved
instead.

Questions:
Why Microsoft uses UDP by default if there are authentication problems?
What would be the global impact on the network (WAN) using Kerberos
authentication through TCP? Would it be a suitable solution?

Any help really appreciated.
Top

Re: Kerberos UDP vs TCP by Gary

Gary
Tue Nov 14 10:51:59 CST 2006

Hi Paolo

The main reason for using UDP by default is that it's lightweight compared
to TCP. Also the fact most LAN networks are reliable and UDP traffic will
normally make it through without any problems.

UDP starts having problem if the network is not reliable, i.e. busy network,
slow links, or has packet loss. The advantage of using TCP is that it uses
acknowledged delivery. The downside is the protocol overhead to support
acknowledgement mechanism, this increase the amount of traffic that is
transmitted.

One of the problem I've have seen in the past with WAN connection is VPN or
encryption over head, this reduces the overall packet size. The UDP
transmissions don't take into account reduced window size and as a result
packets can be lost. When using TCP both ends agree the max window size,
preventing packet loss.

Overall the impact on the network is an increase in traffic, however, you do
get guaranteed delivery!

Hope his helps
Gary.



"paolo valsecchi" <paolovalsecchi@discussions.microsoft.com> wrote in
message news:AB16D9B0-A2DA-48C0-8015-ADF6022D6FD2@microsoft.com...
> Hi everybody
> I'm facing some problems with Kerberos authentication using UDP protocol.
> As suggested by Microsoft using TCP protocol the problem has been solved
> instead.
>
> Questions:
> Why Microsoft uses UDP by default if there are authentication problems?
> What would be the global impact on the network (WAN) using Kerberos
> authentication through TCP? Would it be a suitable solution?
>
> Any help really appreciated.
>


Top

Re: Kerberos UDP vs TCP by Paul

Paul
Tue Nov 14 17:18:26 CST 2006

Kerberos is supposed to automatically switch to TCP if its message size
exceeds what UDP can handle. Kerberos messages get large when PAC data is
included in tickets (which seems to be most of the time now). There is so
little difference in overhead using TCP, that you don't notice it.

Kerberos is one of the few protocols that still uses UDP - most everything
else uses TCP. Because of this, using Kerberos over TCP should always work
correctly.

Paul Nelson
Thursby Software Systems, Inc.

in article AB16D9B0-A2DA-48C0-8015-ADF6022D6FD2@microsoft.com, paolo
valsecchi at paolovalsecchi@discussions.microsoft.com wrote on 11/14/06 3:18
AM:

> Hi everybody
> I'm facing some problems with Kerberos authentication using UDP protocol.
> As suggested by Microsoft using TCP protocol the problem has been solved
> instead.
>
> Questions:
> Why Microsoft uses UDP by default if there are authentication problems?
> What would be the global impact on the network (WAN) using Kerberos
> authentication through TCP? Would it be a suitable solution?
>
> Any help really appreciated.
>

Top

Re: Kerberos UDP vs TCP by Joe

Joe
Tue Nov 14 23:06:52 CST 2006

Various network devices and improperly configured network cards are what
I most often see screwing up the UDP packet delivery. I have had to use
TCP to troubleshoot but it was always to help identify that some network
component was screwing up.

UDP is used initially because that is the standard. It generally works
just fine, in the hundreds of networks I have experienced first hand and
thousands I have dealt with second/third hand the number of times I have
seen UDP issues is less than 15.

TCP does add a good amount of overhead and I would recommend doing a
network impact study before considering switching whole hog to TCP.
Actually I would say go find why UDP isn't working, it will take some
time with a sniffer to find out what device is throwing out the packets.
but once you determine that you can investigate it and correct it. This
can usually, in my experience, be fixed by correcting configurations or
updating firmwares of various network devices.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


paolo valsecchi wrote:
> Hi everybody
> I'm facing some problems with Kerberos authentication using UDP protocol.
> As suggested by Microsoft using TCP protocol the problem has been solved
> instead.
>
> Questions:
> Why Microsoft uses UDP by default if there are authentication problems?
> What would be the global impact on the network (WAN) using Kerberos
> authentication through TCP? Would it be a suitable solution?
>
> Any help really appreciated.
>
Top