Kerberos 1.14 - Java 188.8.131.52 incompatibility
weijun.wang at oracle.com
Sun Dec 13 06:15:52 EST 2015
Have you tried newer JDK? 184.108.40.206 is the latest jdk6u. We had a bug at https://bugs.openjdk.java.net/browse/JDK-6932525 on etypes in AS-REQ and it was fixed in 6u25.
I work on Java SE Kerberos at Oracle.
> On Dec 13, 2015, at 12:40 AM, Richard Basch <basch at alum.mit.edu> wrote:
> There appears to be a protocol change in Kerberos 1.14 which causes older Java clients issues.
> Assuming an environment supports weak encryption and is using des-cbc-crc keys, and a Java app is negotiating multiple encryption types, one scenario which can happen is:
> - Java negotiates des-cbc-md5 and des-cbc-crc
> - KDC responds with support for both
> - Java actually makes request with type 3 (des-cbc-md5)
> - KDC now responds with BAD_ENCRYPTION_TYPE if the principal is defined as type 1 (des-cbc-crc).
> Previous behavior in 1.13 and prior: KDC would issue ticket (skey=3, tkt=1)
> krbdev mailing list krbdev at mit.edu
More information about the krbdev