The Linux VDA Fails to Register with the Delivery Controller due to the Kerberos Failure “RESPONSE_TOO_BIG”

The Linux VDA Fails to Register with the Delivery Controller due to the Kerberos Failure “RESPONSE_TOO_BIG”

book

Article ID: CTX221806

calendar_today

Updated On:

Description

This article describes how to fix the registration issue caused by the Kerberos failure “RESPONSE_TOO_BIG.”
 

Instructions

When you install your Active Directory (AD) domain controller and Linux VDA virtual machines on Azure, a registration issue might occur. An error message similar to the following appears:
2016-11-14 16:33:58.259 [ERROR] - LdapPrivilegedAction.Run: Unable to establish initial directory context and search LDAP server 'ldap://xxxxx.local:389' for computer characteristics. Error: GSSAPI.
 
If you capture network packages on your AD domain controller, the Kerberos failure “RESPONSE_TOO_BIG” is caught. Usually, the Kerberos authentication uses UDP by default, but Kerberos can use TCP instead if the packages are too big for the UDP payload. One way to fix the registration issue is to change the Kerberos settings on the Linux VDA and force the Linux VDA virtual machines to use TCP for authentication.

Modify the /etc/krb5.conf file on your Linux VDA virtual machines by adding the following line to the [libdefaults] section:
udp_preference_limit = 10
Restart the ctxvda service.
 

Powered by Wolken Software