How often does MIT krb5 request for KDC info through DNS?

Weijun Wang at
Tue Aug 5 21:16:53 EDT 2014

On 8/5/2014 23:53, Nico Williams wrote:
> On Tue, Aug 05, 2014 at 03:38:28PM +0800, Weijun Wang wrote:
>> I wonder if it's easy to set up such a service. Here we are talking
>> about the client side, which might be just a browser talking HTTP
>> with "Windows Integrated Authentication".
> Modern/decent OSes just have it, at least as an option.  You'll have to
> read the docs.
> As for JGSS performance, there are worse problems:
>   - non-caching of some tickets

I agree.

>   - delegating credentials by default in the HTTP/Negotiate stack
>     (forwarded tickets are generally not cached on the client side)

Now that Java has constrained delegation, will re-consider this.

>   - doing an HTTP request w/o authentication every time, thus getting a
>     401 then trying again with Kerberos

I'll ask the networking team.

>   - servlets that don't use cookies to optimize away the GSS context
>     setup per-request(!!!)

I'll forward this to people knowing about servlets.


More information about the krbdev mailing list