IBM Java 1.4.2 Kerberos over TCP

Douglas E. Engert deengert at anl.gov
Fri Dec 3 07:46:09 EST 2004 


Seema Malkani wrote:
> Following up on this email..
> (this apparently got filtered with MIT alias)
> 

Can you answer the other question in the user's orginal question?
He needs both TCP and RC4/HMAC. When will the Sun Java support
RC4/HMAC for better compatability with Windows?



> Java GSS/Kerberos does support TCP
> ----------------------------
> Sun's implementation of Java Kerberos now supports automatic fallback to 
> TCP. Therefore, if the Kerberos ticket request using UDP fails and the 
> KDC returns the error code ||KRB_ERR_RESPONSE_TOO_BIG, TCP is 
> automatically the default transport.
> 
> For Java GSS/Kerberos features available since J2SE1.4.2, please refer to:
> http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/jgss-features.html
> 
> For latest Java GSS/Kerberos features in J2SE 1.5.0, please refer to:
> http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/jgss-tiger.html
> 
> Seema
> 
> Douglas E. Engert wrote:
> 
>>
>>
>> Pittman Daniel E Jr Civ 96 CG/SCTOA wrote:
>>
>>> Hello, I am trying to connect to an AD 2003 server, and am 
>>> encountering the
>>> following error
>>> com.ibm.security.jgss.i18n.exception.KRBResponseTooBigError
>>>
>>> After doing some research, I have found this is related to a problem 
>>> which
>>> occurs when a UDP packet is too large. UDP seems to be the only 
>>> connection
>>> protocol supported in IBM's implementation of the Kerberos/JAAS
>>> authentication schemes, could you please verify this information? It 
>>> would
>>> be very helpful if there were a way to connect to an AD controller 
>>> via TCP.
>>> I have already tried adding the line  udp_preference_limit = 1 to my
>>> krb5.conf file, and it seems to be ignored by the IBM implementation. I
>>> would use the Sun implementation which does now support TCP, but that
>>> solution is also equally filled with problems for me as it does not 
>>> support
>>> the RC4/HMAC encryption scheme that my current situation is forcing 
>>> me to
>>> use. Thanks in advance for any help you can provide. 
>>
>>
>>
>> Another option: If the failure is in trying to get a service ticket 
>> and the service
>> does not need the PAC (authorizaiton data added to a ticket that is 
>> used only
>> by MS applications) then you could mark the service principal so that 
>> a PAC
>> is not added to the ticket, and thus the ticket will be small and work 
>> with UDP.
>>
>> See http://support.microsoft.com/?kbid=832572
>>
>> But the Java should support TCP. The IETF IESG approved on Friday the 
>> replacement
>> for RFC-1510. It is awaiting an RFC number.
>> draft-ietf-krb-wg-kerberos-clarifications-07.txt states TCP is required.
>>
>>
>>
>>
>>>
>>>  
>>> Daniel E. Pittman, Jr
>>> 96 CG/SCTOA
>>> Phone: (850) 882-5498
>>>  
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>>
>>
> 
> 
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list