Relates :
|
|
Relates :
|
|
Relates :
|
|
Relates :
|
This is a regression of 6932525. Before 6932525, Java only uses the etype for preauth as supported etypes in the 2nd AS-REQ. As 6932525 shows this does not interop well with Windows 2008 (with Windows 2000 compat mode), but it does force the KDC to use the same etype in the enc-part of the final AS-REP. After 6932525, Java allows all supported etypes in the 2nd AS-REQ, and it seems that at least Windows 2000 might responds with an AS-REP whose enc-part is *not* encrypted with the etype used for preauth. Since Java already allows all suppored etypes in the request, there is nothing to blame here. Unfortunately, we have a bug that only uses the preauth etype to decrypt the enc-part in the final AS-REP. Now that the etype for preauth and enc-part is different, a KrbException is thrown. The following sqe tests fail in b97 tl pit because of this bug: SPNEGO_HTTP_AUTH/WWW_KRB execute_script pit SPNEGO_HTTP_AUTH/WWW_SPNEGO execute_script pit SPNEGO_HTTP_AUTH/PROXY_KRB_2 execute_script pit SPNEGO_HTTP_AUTH/PROXY_SPNEGO_2 execute_script pit SPNEGO_HTTP_AUTH/WWW_SPNEGO_DELE/TRUSTED_HOST_TRUSTED_USER execute_script pit
|