-
Title
Force Quest Authentication Services to use TCP only for Kerberos -
Description
By default, Kerberos authentication uses the UDP protocol first when sending Kerberos requests. For environments where Kerberos requests are sent over WAN connections, dropped UDP packets may cause unnecessary delays.
Note that this also applies when it is known that the majority of authentications will need TCP anyway (by being member of many Active Directory groups, 120 is a magic number).
This saves the initial UDP packet, which gets a "try again" using TCP response from Active Directory (AD). -
Cause
If you have enabled debug you may find the following in the logs:
2011-08-01 10:19:13 [debug] (3456356) _send_and_recv_srvinfo: requesting IP address for dc.example.com
2011-08-01 10:19:13 [debug] (3456356) _send_and_recv_srvinfo: Sending to dc.example.com
2011-08-01 10:19:13 [debug] (3456356) _send_and_recv_srvinfo: Connecting to dc.example.com, fd=3, socktype=SOCK_STREAM, port=88
2011-08-03 10:19:10 [debug] (3456356) send_and_recv_udp: Sending 314 bytes via UDP
2011-08-03 10:19:10 [debug] (3456356) send_and_recv_udp: Receiving data via UDP with 3 timeout
2011-08-03 10:19:13 [debug] (3456356) send_and_recv_udp: Received 0 bytes via UDP
2011-08-01 10:19:13 [debug] (3456356) _send_and_recv_srvinfo: requesting IP address for dc.example.com
2011-08-01 10:19:13 [debug] (3456356) _send_and_recv_srvinfo: Sending to dc.example.com
2011-08-01 10:19:13 [debug] (3456356) _send_and_recv_srvinfo: Connecting to dc.example.com, fd=3, socktype=SOCK_STREAM, port=88
2011-08-01 10:19:13 [debug] (3456356) _send_and_recv_srvinfo: Sending via TCP
2011-08-01 10:19:13 [debug] (3456356) send_and_recv_tcp: Sending 314 bytes via TCP
2011-08-01 10:19:13 [debug] (3456356) send_and_recv_tcp: Receiving data via TCP with 9 timeout
2011-08-01 10:19:14 [debug] (3456356) send_and_recv_tcp: Receiving data via TCP with 9 timeout
2011-08-01 10:19:14 [debug] (3456356) send_and_recv_tcp: Received 1360 bytes via TCP
2011-08-01 10:19:14 [debug] (3456356) _libvas_sendto_criteria: Setting use-tcp-only for lifetime of context!Notice the line in bold. This indicates that UDP traffic was blocked or was too big to big to be returned and is recommended to enable use-tcp-only.
-
Resolution
Run the following to use TCP for all Kerberos traffic:
# vastool configure vas libvas use-tcp-only true
In environments where administrators know that all users are members of many groups and TCP failover will always result, setting this option to be true can help avoid unnecessary UDP traffic.
Note, in 4.0.3.x use-tcp-only now defaults to true. -
Additional Information
use-tcp-only = <true | false>
By default, Kerberos traffic will be sent using TCP connections. This provides the greatest reliability and is suitable for all environments.
In highly reliable environments where the extra overhead of TCP is a concern, this option may be disabled in which case Kerberos traffic will
use UDP first, with TCP as a fallback. Disabling this option runs the risk of visible delay when one or more servers are unreachable or when
network congestion results in dropped packets.The following example sets the QAS API to prefer UDP for Kerberos operations, while maintaining TCP as a fallback.
[libvas]
use-tcp-only = false