IBM Java 1.4.2 Kerberos over TCP

Douglas E. Engert deengert at anl.gov
Mon Oct 18 15:04:03 EDT 2004



Pittman Daniel E Jr Civ 96 CG/SCTOA wrote:
> Hello, I am trying to connect to an AD 2003 server, and am encountering the
> following error 
> 
> com.ibm.security.jgss.i18n.exception.KRBResponseTooBigError
> 
> After doing some research, I have found this is related to a problem which
> occurs when a UDP packet is too large. UDP seems to be the only connection
> protocol supported in IBM's implementation of the Kerberos/JAAS
> authentication schemes, could you please verify this information? It would
> be very helpful if there were a way to connect to an AD controller via TCP.
> I have already tried adding the line  udp_preference_limit = 1 to my
> krb5.conf file, and it seems to be ignored by the IBM implementation. I
> would use the Sun implementation which does now support TCP, but that
> solution is also equally filled with problems for me as it does not support
> the RC4/HMAC encryption scheme that my current situation is forcing me to
> use. Thanks in advance for any help you can provide. 

Another option: If the failure is in trying to get a service ticket and the service
does not need the PAC (authorizaiton data added to a ticket that is used only
by MS applications) then you could mark the service principal so that a PAC
is not added to the ticket, and thus the ticket will be small and work with UDP.

See http://support.microsoft.com/?kbid=832572

But the Java should support TCP. The IETF IESG approved on Friday the replacement
for RFC-1510. It is awaiting an RFC number.
draft-ietf-krb-wg-kerberos-clarifications-07.txt states TCP is required.




> 
>  
> Daniel E. Pittman, Jr
> 96 CG/SCTOA
> Phone: (850) 882-5498
>  
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list