However, if you specify the etype correctly, you should not get the pre-authentication error. You can specify the default encryption types used by the Java client in the Kerberos configuration file.
[libdefaults] default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1//
In addition, Windows allows to disable pre-authentication by selecting "do not require Kerberos pre-authentication" in the AD account settings.
Seema
Douglas E. Engert wrote:
Sam Hartman wrote:
All these issues have been discussed on the ietf-krb-wg list although never quite in the same place.
Java is wrong in how it handles preauth; the advice in my preauth draft would be a better approach.
I agree it is wrong. What I would like to see is the Java people admit this and fix it and work in the krb-wg too.
AD is stretching clarifications significantly in how it handles case of principal names. However it's much more usable than what other implementations do. There was a long and heated discussion between Martin Rex and people at Microsoft over this issue.
Some how I miss that point. Hopefully the explaination I put together will get the Java people to do something about the preauth.
--Sam
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
