IBM Java 1.4.2 Kerberos over TCP

Douglas E. Engert deengert at
Mon Oct 18 15:04:03 EDT 2004

Pittman Daniel E Jr Civ 96 CG/SCTOA wrote:
> Hello, I am trying to connect to an AD 2003 server, and am encountering the
> following error 
> After doing some research, I have found this is related to a problem which
> occurs when a UDP packet is too large. UDP seems to be the only connection
> protocol supported in IBM's implementation of the Kerberos/JAAS
> authentication schemes, could you please verify this information? It would
> be very helpful if there were a way to connect to an AD controller via TCP.
> I have already tried adding the line  udp_preference_limit = 1 to my
> krb5.conf file, and it seems to be ignored by the IBM implementation. I
> would use the Sun implementation which does now support TCP, but that
> solution is also equally filled with problems for me as it does not support
> the RC4/HMAC encryption scheme that my current situation is forcing me to
> use. Thanks in advance for any help you can provide. 

Another option: If the failure is in trying to get a service ticket and the service
does not need the PAC (authorizaiton data added to a ticket that is used only
by MS applications) then you could mark the service principal so that a PAC
is not added to the ticket, and thus the ticket will be small and work with UDP.


But the Java should support TCP. The IETF IESG approved on Friday the replacement
for RFC-1510. It is awaiting an RFC number.
draft-ietf-krb-wg-kerberos-clarifications-07.txt states TCP is required.

> Daniel E. Pittman, Jr
> Phone: (850) 882-5498
> ________________________________________________
> Kerberos mailing list           Kerberos at


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list