How often does MIT krb5 request for KDC info through DNS?
David Woodhouse
dwmw2 at infradead.org
Tue Aug 5 12:03:40 EDT 2014
On Tue, 2014-08-05 at 10:53 -0500, Nico Williams wrote:
>
> As for JGSS performance, there are worse problems:
>
> - non-caching of some tickets
>
> - delegating credentials by default in the HTTP/Negotiate stack
> (forwarded tickets are generally not cached on the client side)
>
> - doing an HTTP request w/o authentication every time, thus getting a
> 401 then trying again with Kerberos
>
> - servlets that don't use cookies to optimize away the GSS context
> setup per-request(!!!)
- On IIS, failing to set the 'AuthPersistNonNTLM' attribute which makes
Kerberos authentication a per-connection thing instead of per-request
http://blogs.msdn.com/b/benjaminperkins/archive/2011/10/31/kerberos-authpersistnonntlm-authentication-request-based-vs-session-based-authentication.aspx
--
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20140805/25c46479/attachment-0001.bin
More information about the krbdev
mailing list