Configuring Kerberos to Work over a Slow VPN Link

If you are using a slow VPN tunnel, be aware that Kerberos authentication can be a bit tricky. The reason is that Kerberos uses UDP by default, a connectionless protocol. Over a slow VPN or WAN link, the packets can arrive out of sequence. Unlike TCP, UDP will not reassemble the packets. Also, many VPN routers are configured to drop fragmented packets. This can also cause Kerberos authentication to fail.

To fix this problem, make sure that your router is set to allow fragmented packets over the VPN tunnel and change Kerberos to use TCP rather than UDP as its default transmission protocol.

To enable fragmented packet handling, you will need to consult your VPN router’s installation guide. Each router will be different, depending on the brand and model.

To force Kerberos to use TCP instead of UDP, open regedit and locate the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
Create a DWORD MaxPacketSize

Change the value to 1 and restart your server. Note: You must make this registry change on both the source and target Hyper V servers and you must allow fragmented packet handling on both ends of the VPN tunnel.


Leave a comment

Your email address will not be published. Required fields are marked *

error: Sorry, copy/paste is disabled
Skip to content