Applies to: Centrify DirectControl 4.0 to 4.1.1
Why does adjoin hang trying to set the machine password?
In DirectControl 2.x, machine password changes require UDP port 464.
In DirectControl 3.x, the Kerberos libraries (version 1.4.1) only support machine password changes over TCP port 464. This restriction was made because we were getting failures when very large PACs (big group memberships) were being passed over UDP.
In DirectControl 4.0 and 4.1.0, we adopted a patch by Todd Stretcher to Kerberos libraries version 1.4.3 that first tries a machine password change over UDP, just like the rest of the Kerberos protocol exchanges, and if a response too big error comes back it fails over to TCP. For this reason, the UDP port 464 should be open.
With DirectControl 4.0 or 4.1.0, both UDP port 464 and TCP port 464 should be opened on the firewall to allow Kerberos-based authentication.
Fixed in DirectControl 4.1.2. In this version, by default, we configure Kerberos to use only TCP for all Kerberos-related protocols to avoid issues with MTU path discovery causing fragmented UDP packets, and routers that are configured to silently drop UDP packets beyond configured size thresholds. This option will be configurable for users who wish to revert to the UDP with TCP fail-over behavior.