IBM Java 1.4.2 Kerberos over TCP

Seema Malkani Seema.Malkani at Sun.COM
Fri Dec 3 02:58:01 EST 2004


Following up on this email..
(this apparently got filtered with MIT alias)

Java GSS/Kerberos does support TCP
----------------------------
Sun's implementation of Java Kerberos now supports automatic fallback to 
TCP. Therefore, if the Kerberos ticket request using UDP fails and the 
KDC returns the error code ||KRB_ERR_RESPONSE_TOO_BIG, TCP is 
automatically the default transport.

For Java GSS/Kerberos features available since J2SE1.4.2, please refer to:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/jgss-features.html

For latest Java GSS/Kerberos features in J2SE 1.5.0, please refer to:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/jgss-tiger.html

Seema

Douglas E. Engert wrote:

>
>
> Pittman Daniel E Jr Civ 96 CG/SCTOA wrote:
>
>> Hello, I am trying to connect to an AD 2003 server, and am 
>> encountering the
>> following error
>> com.ibm.security.jgss.i18n.exception.KRBResponseTooBigError
>>
>> After doing some research, I have found this is related to a problem 
>> which
>> occurs when a UDP packet is too large. UDP seems to be the only 
>> connection
>> protocol supported in IBM's implementation of the Kerberos/JAAS
>> authentication schemes, could you please verify this information? It 
>> would
>> be very helpful if there were a way to connect to an AD controller 
>> via TCP.
>> I have already tried adding the line  udp_preference_limit = 1 to my
>> krb5.conf file, and it seems to be ignored by the IBM implementation. I
>> would use the Sun implementation which does now support TCP, but that
>> solution is also equally filled with problems for me as it does not 
>> support
>> the RC4/HMAC encryption scheme that my current situation is forcing 
>> me to
>> use. Thanks in advance for any help you can provide. 
>
>
> Another option: If the failure is in trying to get a service ticket 
> and the service
> does not need the PAC (authorizaiton data added to a ticket that is 
> used only
> by MS applications) then you could mark the service principal so that 
> a PAC
> is not added to the ticket, and thus the ticket will be small and work 
> with UDP.
>
> See http://support.microsoft.com/?kbid=832572
>
> But the Java should support TCP. The IETF IESG approved on Friday the 
> replacement
> for RFC-1510. It is awaiting an RFC number.
> draft-ietf-krb-wg-kerberos-clarifications-07.txt states TCP is required.
>
>
>
>
>>
>>  
>> Daniel E. Pittman, Jr
>> 96 CG/SCTOA
>> Phone: (850) 882-5498
>>  
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>>
>




More information about the Kerberos mailing list