GSSAPI interoperability problem between Java 1.5 & MIT Kerberos

Ken Hornstein kenh at
Thu Jan 12 14:24:48 EST 2006

>J2SE 5.0 does support "des-cbc-md5". I have validated interoperability 
>using "des-cbc-md5" as the encryption type, and all works well.

Perhaps you didn't understand me.  The issue is that the _KDC_ will not
issue session keys with that enctype.  It's a huge pain to make a MIT
KDC do that.  I don't think looking at the Java application configuration
will yield anything useful, but I will ask the developer for it if you
really want to see it.

The bottom line is that unless you go through a bunch of extra stuff, an
MIT KDC will only issue single-DES session keys as des-cbc-crc (actually,
I'm wrong ... the source code in the KDC that I'm using is hard-coded to
never issue a des-cbc-md5 ticket, and from the ChangeLog it's been that
way in the MIT sources since 2001.  I see that MIT Kerberos 1.4.3 is the
same way).  So the bottom line is that anyone with a MIT KDC is never
going to use des-cbc-md5.


More information about the krbdev mailing list