Large tickets with jdk 1.4 error code 52
wyllys.ingersoll at sun.com
Wed Dec 4 14:57:08 EST 2002
Derek Ireland wrote:
>On Tue, 03 Dec 2002 09:30:24 +0000, Varun Garg wrote:
>>I am using Kerberos JAAs authentication and I am getting an error for
>>some user ids which have large tickets, basically on a default the
>>java api is using UDP and the ticket exceeds the max size. Is it
>>possible to configure the api to use TCP and not UDP.
>The SUN implementation does not support TCP. We (Wedgetail Communications)
>implement Kerberos for Java and have had to implement TCP support to
>get around this problem for some of our customers. This seems to
>be a common problem when using the Windows 2000 KDC, due to
>MS putting proprietary access control information into the tickets.
One possible workaround for this problem is to disable the use of
"preauthentication" for those accounts. This will cause the Active
Directory KDC to NOT append the authorization data that bloats
the tickets. If the Kerberized services are not running in Windows,
this is probably OK as they would not be able to make use of the
PAC data anyway. Or if they are custom apps in Windows that
do not need to do the authorization checks based on the PAC field,
then that would also work.
More information about the Kerberos