Kerberos 1.14 - Java incompatibility

Wang Weijun at
Sun Dec 13 06:15:52 EST 2015

Hi Richard

Have you tried newer JDK? is the latest jdk6u. We had a bug at on etypes in AS-REQ and it was fixed in 6u25.


I work on Java SE Kerberos at Oracle. 

> On Dec 13, 2015, at 12:40 AM, Richard Basch <basch at> wrote:
> There appears to be a protocol change in Kerberos 1.14 which causes older Java clients issues.
> Assuming an environment supports weak encryption and is using des-cbc-crc keys, and a Java app is negotiating multiple encryption types, one scenario which can happen is:
> - Java negotiates des-cbc-md5 and des-cbc-crc
> - KDC responds with support for both
> - Java actually makes request with type 3 (des-cbc-md5)
> - KDC now responds with BAD_ENCRYPTION_TYPE if the principal is defined as type 1 (des-cbc-crc).
> Previous behavior in 1.13 and prior: KDC would issue ticket (skey=3, tkt=1)
> _______________________________________________
> krbdev mailing list             krbdev at

More information about the krbdev mailing list