How often does MIT krb5 request for KDC info through DNS?

Nico Williams nico at
Tue Aug 5 12:16:41 EDT 2014

On Tue, Aug 05, 2014 at 05:03:40PM +0100, David Woodhouse wrote:
> On Tue, 2014-08-05 at 10:53 -0500, Nico Williams wrote:
> > As for JGSS performance, there are worse problems:
> >
> >  - servlets that don't use cookies to optimize away the GSS context
> >    setup per-request(!!!)
>  - On IIS, failing to set the 'AuthPersistNonNTLM' attribute which makes
>    Kerberos authentication a per-connection thing instead of per-request

HTTP/1.1 is not supposed to be aware of connection state, and IIRC the
servlet interface design doesn't make it possible to make the servlet
able to cache per-connection state :(

Cookies are teh authentication state system for HTTP, for better or
worse, whether we like it or not.

Java needs an utterly trivial-to-setup session cookie system.


More information about the krbdev mailing list