Currently Java GSS/Kerberos in J2SE 1.5.0 supports Triple-DES and DES (des3-cbc-sha1-kd, des-cbc-md5, des-cbc-crc). Support for AES (aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96) and RC4-HMAC in Kerberos will be available in future J2SE release.
For now in order to interoperate with Windows, you will need to select "use DES key" in your AD account settings.
*TCP vs UDP Preference Configuration*
Sun's implementation of Java Kerberos supports TCP vs UDP preference
configuration via the "udp_preference_limit" parameter. You need to setup
"udp_preference_limit" configuration parameter in the Kerberos configuration
file krb5.conf under [libdefaults] section, if you want your application to use
TCP. If not specified, Java Kerberos library will fallback to TCP only if the
Kerberos ticket request using UDP fails and the KDC returns the error code KRB_ERR_RESPONSE_TOO_BIG. For e.g. you can set
udp_preference_limit =1 to always use TCP.
Seema
Douglas E. Engert wrote:
Seema Malkani wrote:
Following up on this email.. (this apparently got filtered with MIT alias)
Can you answer the other question in the user's orginal question? He needs both TCP and RC4/HMAC. When will the Sun Java support RC4/HMAC for better compatability with Windows?
Java GSS/Kerberos does support TCP
----------------------------
Sun's implementation of Java Kerberos now supports automatic fallback to TCP. Therefore, if the Kerberos ticket request using UDP fails and the KDC returns the error code ||KRB_ERR_RESPONSE_TOO_BIG, TCP is automatically the default transport.
For Java GSS/Kerberos features available since J2SE1.4.2, please refer to:
http://java.sun.com/j2se/1.4.2/docs/guide/security/jgss/jgss-features.html
For latest Java GSS/Kerberos features in J2SE 1.5.0, please refer to: http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/jgss-tiger.html
Seema
Douglas E. Engert wrote:
Pittman Daniel E Jr Civ 96 CG/SCTOA wrote:
Hello, I am trying to connect to an AD 2003 server, and am encountering the
following error
com.ibm.security.jgss.i18n.exception.KRBResponseTooBigError
After doing some research, I have found this is related to a problem which
occurs when a UDP packet is too large. UDP seems to be the only connection
protocol supported in IBM's implementation of the Kerberos/JAAS
authentication schemes, could you please verify this information? It would
be very helpful if there were a way to connect to an AD controller via TCP.
I have already tried adding the line udp_preference_limit = 1 to my
krb5.conf file, and it seems to be ignored by the IBM implementation. I
would use the Sun implementation which does now support TCP, but that
solution is also equally filled with problems for me as it does not support
the RC4/HMAC encryption scheme that my current situation is forcing me to
use. Thanks in advance for any help you can provide.
Another option: If the failure is in trying to get a service ticket and the service
does not need the PAC (authorizaiton data added to a ticket that is used only
by MS applications) then you could mark the service principal so that a PAC
is not added to the ticket, and thus the ticket will be small and work with UDP.
See http://support.microsoft.com/?kbid=832572
But the Java should support TCP. The IETF IESG approved on Friday the replacement
for RFC-1510. It is awaiting an RFC number.
draft-ietf-krb-wg-kerberos-clarifications-07.txt states TCP is required.
Daniel E. Pittman, Jr
96 CG/SCTOA
Phone: (850) 882-5498
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
