Kerberos 1.14 - Java incompatibility

Richard Basch basch at
Sat Dec 12 11:40:40 EST 2015

There appears to be a protocol change in Kerberos 1.14 which causes older Java clients issues.

Assuming an environment supports weak encryption and is using des-cbc-crc keys, and a Java app is negotiating multiple encryption types, one scenario which can happen is:

- Java negotiates des-cbc-md5 and des-cbc-crc
- KDC responds with support for both
- Java actually makes request with type 3 (des-cbc-md5)
- KDC now responds with BAD_ENCRYPTION_TYPE if the principal is defined as type 1 (des-cbc-crc).

Previous behavior in 1.13 and prior: KDC would issue ticket (skey=3, tkt=1)

More information about the krbdev mailing list