JAVASEC - Using Java client with Windows 2003 AD with mixedcase PrincipalNames

Seema Malkani Seema.Malkani at Sun.COM
Fri Dec 3 15:08:01 EST 2004


Sun's implementation of Java GSS/Kerberos currently supports 
PA-ENC-TIMESTAMP as per RFC 1510. The new pre-authentication types 
specified in the Kerberos clarifications provide additional 
pre-authentication. Support for these new pre-authentication types 
PA-ETYPE-INFO and PA-ETYPE-INFO2 will be available in future J2SE release.

However, if you specify the etype correctly, you should not get the 
pre-authentication error. You can specify the default encryption types 
used by the Java client in the Kerberos configuration file.

[libdefaults]
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
permitted_enctypes   = des-cbc-md5 des-cbc-crc des3-cbc-sha1//

In addition, Windows allows to disable pre-authentication by selecting 
"do not require Kerberos pre-authentication" in the AD account settings.

Seema

Douglas E. Engert wrote:

>
>
> Sam Hartman wrote:
>
>> All these issues have been discussed on the ietf-krb-wg list although
>> never quite in the same place.
>>
>> Java is wrong in how it handles preauth; the advice in my preauth
>> draft would be a better approach.
>
>
> I agree it is wrong. What I would like to see is the Java people
> admit this and fix it and work in the krb-wg too.
>
>>
>> AD is stretching clarifications significantly in how it handles case
>> of principal names.  However it's much more usable than what other
>> implementations do.  There was a long and heated discussion between
>> Martin Rex and people at Microsoft over this issue.
>
>
> Some how I miss that point. Hopefully the explaination I put together
> will get the Java people to do something about the preauth.
>
>
>>
>> --Sam
>>
>>
>>
>>
>




More information about the Kerberos mailing list