JDK-5100483 : Kerberos module cannot authentiate with different KDCs/principal names
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 1.4.2_04
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: solaris_8
  • CPU: other
  • Submitted: 2004-09-10
  • Updated: 2004-11-09
  • Resolved: 2004-11-09
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
Other JDK 6
1.4.2_09Fixed 6 betaFixed
Description
Using com.sun.security.auth.module.Krb5LoginModule to do service login, 
it succeeds with the first KDC(whichever) but fails to the 2nd KDC later. 

See comments for details:

###@###.### 2004-11-08 20:29:36 GMT
Comments
EVALUATION ###@###.### 2004-09-13 When the application server authenticatates service #1, is is successful. However, when the application server authenticates service #2, using different KDC/realm/principal, the Kerberos configuration would need to be refreshed. Hence you would need to configure the Krb5LoginModule to refresh the Kerberos configuration, using the option "refreshKrb5config=true". However, even after refreshing the Kerberos configuration, application server failed to authenitcate service #2. Upon further investigation, it appears that the KDC and Kerberos realm were all refreshed, however, the 2nd keytab is not loaded. This is because the keytab class still has the old entries from the 1st keytab. The KeyTab class is designed to be a singleton. This can be only one instance of the Keytab. We need to refresh the keytab instance, when the Kerberos configuration is refreshed. 11-08-04 [Seema malkani] Have fixed Kerberos Login Module to allow to authenticate to services with different KDCs. ###@###.### 2004-11-08 20:26:14 GMT ###@###.### 2004-11-08 20:27:28 GMT
08-11-2004