Following up on this email.. (this apparently got filtered with MIT alias)
Java GSS/Kerberos does support TCP
----------------------------
Sun's implementation of Java Kerberos now supports automatic fallback to TCP. Therefore, if the Kerberos ticket request using UDP fails and the KDC returns the error code ||KRB_ERR_RESPONSE_TOO_BIG, TCP is automatically the default transport.
For Java GSS/Kerberos features available since J2SE1.4.2, please refer to: http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/jgss-features.html
For latest Java GSS/Kerberos features in J2SE 1.5.0, please refer to: http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/jgss-tiger.html
Seema
Douglas E. Engert wrote:
Pittman Daniel E Jr Civ 96 CG/SCTOA wrote:
Hello, I am trying to connect to an AD 2003 server, and am encountering the
following error
com.ibm.security.jgss.i18n.exception.KRBResponseTooBigError
After doing some research, I have found this is related to a problem which
occurs when a UDP packet is too large. UDP seems to be the only connection
protocol supported in IBM's implementation of the Kerberos/JAAS
authentication schemes, could you please verify this information? It would
be very helpful if there were a way to connect to an AD controller via TCP.
I have already tried adding the line udp_preference_limit = 1 to my
krb5.conf file, and it seems to be ignored by the IBM implementation. I
would use the Sun implementation which does now support TCP, but that
solution is also equally filled with problems for me as it does not support
the RC4/HMAC encryption scheme that my current situation is forcing me to
use. Thanks in advance for any help you can provide.
Another option: If the failure is in trying to get a service ticket and the service
does not need the PAC (authorizaiton data added to a ticket that is used only
by MS applications) then you could mark the service principal so that a PAC
is not added to the ticket, and thus the ticket will be small and work with UDP.
See http://support.microsoft.com/?kbid=832572
But the Java should support TCP. The IETF IESG approved on Friday the replacement
for RFC-1510. It is awaiting an RFC number.
draft-ietf-krb-wg-kerberos-clarifications-07.txt states TCP is required.
Daniel E. Pittman, Jr
96 CG/SCTOA
Phone: (850) 882-5498
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
