How often does MIT krb5 request for KDC info through DNS?

David Woodhouse dwmw2 at
Tue Aug 5 12:03:40 EDT 2014

On Tue, 2014-08-05 at 10:53 -0500, Nico Williams wrote:
> As for JGSS performance, there are worse problems:
>  - non-caching of some tickets
>  - delegating credentials by default in the HTTP/Negotiate stack
>    (forwarded tickets are generally not cached on the client side)
>  - doing an HTTP request w/o authentication every time, thus getting a
>    401 then trying again with Kerberos
>  - servlets that don't use cookies to optimize away the GSS context
>    setup per-request(!!!)

 - On IIS, failing to set the 'AuthPersistNonNTLM' attribute which makes
   Kerberos authentication a per-connection thing instead of per-request

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
Url :

More information about the krbdev mailing list