How often does MIT krb5 request for KDC info through DNS?
weijun.wang at oracle.com
Tue Aug 5 21:16:53 EDT 2014
On 8/5/2014 23:53, Nico Williams wrote:
> On Tue, Aug 05, 2014 at 03:38:28PM +0800, Weijun Wang wrote:
>> I wonder if it's easy to set up such a service. Here we are talking
>> about the client side, which might be just a browser talking HTTP
>> with "Windows Integrated Authentication".
> Modern/decent OSes just have it, at least as an option. You'll have to
> read the docs.
> As for JGSS performance, there are worse problems:
> - non-caching of some tickets
> - delegating credentials by default in the HTTP/Negotiate stack
> (forwarded tickets are generally not cached on the client side)
Now that Java has constrained delegation, will re-consider this.
> - doing an HTTP request w/o authentication every time, thus getting a
> 401 then trying again with Kerberos
I'll ask the networking team.
> setup per-request(!!!)
I'll forward this to people knowing about servlets.
More information about the krbdev