Kerberos 1.14 - Java 18.104.22.168 incompatibility
basch at alum.mit.edu
Sat Dec 12 11:40:40 EST 2015
There appears to be a protocol change in Kerberos 1.14 which causes older Java clients issues.
Assuming an environment supports weak encryption and is using des-cbc-crc keys, and a Java app is negotiating multiple encryption types, one scenario which can happen is:
- Java negotiates des-cbc-md5 and des-cbc-crc
- KDC responds with support for both
- Java actually makes request with type 3 (des-cbc-md5)
- KDC now responds with BAD_ENCRYPTION_TYPE if the principal is defined as type 1 (des-cbc-crc).
Previous behavior in 1.13 and prior: KDC would issue ticket (skey=3, tkt=1)
More information about the krbdev