IBM Java 1.4.2 Kerberos over TCP

Seema Malkani Seema.Malkani at Sun.COM
Fri Dec 3 12:23:55 EST 2004


Currently Java GSS/Kerberos in J2SE 1.5.0 supports
Triple-DES and DES (des3-cbc-sha1-kd, des-cbc-md5, des-cbc-crc).
Support for AES (aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96)
and RC4-HMAC in Kerberos will be available in future J2SE release.

For now in order to interoperate with Windows, you will need to select
"use DES key" in your AD account settings.

*TCP vs UDP Preference Configuration*
Sun's implementation of Java Kerberos supports TCP vs UDP preference
configuration via the "udp_preference_limit" parameter. You need to setup
"udp_preference_limit" configuration parameter in the Kerberos configuration
file krb5.conf under [libdefaults] section, if you want your application 
to use
TCP. If not specified, Java Kerberos library will fallback to TCP only 
if the
Kerberos ticket request using UDP fails and the KDC returns the error 
code KRB_ERR_RESPONSE_TOO_BIG. For e.g. you can set
udp_preference_limit =1 to always use TCP.

Seema

Douglas E. Engert wrote:

>
>
> Seema Malkani wrote:
>
>> Following up on this email..
>> (this apparently got filtered with MIT alias)
>>
>
> Can you answer the other question in the user's orginal question?
> He needs both TCP and RC4/HMAC. When will the Sun Java support
> RC4/HMAC for better compatability with Windows?
>
>
>
>> Java GSS/Kerberos does support TCP
>> ----------------------------
>> Sun's implementation of Java Kerberos now supports automatic fallback 
>> to TCP. Therefore, if the Kerberos ticket request using UDP fails and 
>> the KDC returns the error code ||KRB_ERR_RESPONSE_TOO_BIG, TCP is 
>> automatically the default transport.
>>
>> For Java GSS/Kerberos features available since J2SE1.4.2, please 
>> refer to:
>> http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/jgss-features.html 
>>
>>
>> For latest Java GSS/Kerberos features in J2SE 1.5.0, please refer to:
>> http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/jgss-tiger.html
>>
>> Seema
>>
>> Douglas E. Engert wrote:
>>
>>>
>>>
>>> Pittman Daniel E Jr Civ 96 CG/SCTOA wrote:
>>>
>>>> Hello, I am trying to connect to an AD 2003 server, and am 
>>>> encountering the
>>>> following error
>>>> com.ibm.security.jgss.i18n.exception.KRBResponseTooBigError
>>>>
>>>> After doing some research, I have found this is related to a 
>>>> problem which
>>>> occurs when a UDP packet is too large. UDP seems to be the only 
>>>> connection
>>>> protocol supported in IBM's implementation of the Kerberos/JAAS
>>>> authentication schemes, could you please verify this information? 
>>>> It would
>>>> be very helpful if there were a way to connect to an AD controller 
>>>> via TCP.
>>>> I have already tried adding the line  udp_preference_limit = 1 to my
>>>> krb5.conf file, and it seems to be ignored by the IBM 
>>>> implementation. I
>>>> would use the Sun implementation which does now support TCP, but that
>>>> solution is also equally filled with problems for me as it does not 
>>>> support
>>>> the RC4/HMAC encryption scheme that my current situation is forcing 
>>>> me to
>>>> use. Thanks in advance for any help you can provide. 
>>>
>>>
>>>
>>>
>>> Another option: If the failure is in trying to get a service ticket 
>>> and the service
>>> does not need the PAC (authorizaiton data added to a ticket that is 
>>> used only
>>> by MS applications) then you could mark the service principal so 
>>> that a PAC
>>> is not added to the ticket, and thus the ticket will be small and 
>>> work with UDP.
>>>
>>> See http://support.microsoft.com/?kbid=832572
>>>
>>> But the Java should support TCP. The IETF IESG approved on Friday 
>>> the replacement
>>> for RFC-1510. It is awaiting an RFC number.
>>> draft-ietf-krb-wg-kerberos-clarifications-07.txt states TCP is 
>>> required.
>>>
>>>
>>>
>>>
>>>>
>>>>  
>>>> Daniel E. Pittman, Jr
>>>> 96 CG/SCTOA
>>>> Phone: (850) 882-5498
>>>>  
>>>> ________________________________________________
>>>> Kerberos mailing list           Kerberos at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>>
>>>>
>>>
>>
>>
>>
>>
>>
>




More information about the Kerberos mailing list