GSSAPI interoperability problem between Java 1.5 & MIT Kerberos
kenh at cmf.nrl.navy.mil
Thu Jan 12 14:24:48 EST 2006
>J2SE 5.0 does support "des-cbc-md5". I have validated interoperability
>using "des-cbc-md5" as the encryption type, and all works well.
Perhaps you didn't understand me. The issue is that the _KDC_ will not
issue session keys with that enctype. It's a huge pain to make a MIT
KDC do that. I don't think looking at the Java application configuration
will yield anything useful, but I will ask the developer for it if you
really want to see it.
The bottom line is that unless you go through a bunch of extra stuff, an
MIT KDC will only issue single-DES session keys as des-cbc-crc (actually,
I'm wrong ... the source code in the KDC that I'm using is hard-coded to
never issue a des-cbc-md5 ticket, and from the ChangeLog it's been that
way in the MIT sources since 2001. I see that MIT Kerberos 1.4.3 is the
same way). So the bottom line is that anyone with a MIT KDC is never
going to use des-cbc-md5.
More information about the krbdev