JDK-6843127 : krb5 should not try to access unavailable kdc too often
  • Type: Bug
  • Component: security-libs
  • Sub-Component: org.ietf.jgss:krb5
  • Affected Version: 6,7
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • OS: generic,solaris_10
  • CPU: generic,sparc
  • Submitted: 2009-05-20
  • Updated: 2017-05-16
  • Resolved: 2010-01-08
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
6u21Fixed 7 b79Fixed
Related Reports
Relates :  
Relates :  
Curently, AS-REQ acts like this:

  try {
     send AS-REQ and wait for AS-REP
  } catch (KRB-ERROR needs PREAUTH) {
     send AS-REQ with PREAUTH and wait for AS-REP

and the send-wait process looks like:

  for (all KDCs configed) {
     for (try 3 times) {
        try {
           send AS-REQ and wait for AS-REP
        } catch (IOError) {

The two processes are independent, which means when the first configured KDC is not accessible anymore, something like this is performed:

  1. Send AS-REQ to KDC1
  2. Send AS-REQ to KDC1
  3. Send AS-REQ to KDC1
  4. Send AS-REQ to KDC2
     KDC2 replies: KRB-ERROR needs PREAUTH
  5. Send AS-REQ with PREAUTH to KDC1
  6. Send AS-REQ with PREAUTH to KDC1
  7. Send AS-REQ with PREAUTH to KDC1
  8. Send AS-REQ with PREAUTH to KDC2
     KDC2 replies: AS-REP

Here, request #5-#7 is a waste of time.

Suggestion: maintaining a list of KDCs with the initial order according to config. When any of them is not accessible at run time, move it to the last place.

EVALUATION Solution: add a security system property # # Policy for failed Kerberos KDC lookups: # # When a KDC is unavailable (network error, service failure, etc), it is # put inside a blacklist and accessed less often for future requests. The # value (case-insensitive) for this policy can be: # # tryLast # KDCs in the blacklist are always tried after those not on the list. # # tryLess[:max_retries,timeout] # KDCs in the blacklist are still tried by their order in the configuration, # but with smaller max_retries and timeout values. max_retries and timeout # are optional numerical parameters (default 1 and 5000, which means once # and 5 seconds). Please notes that if any of the values defined here is # more than what is defined in krb5.conf, it will be ignored. # # Whenever a KDC is detected as available, it is removed from the blacklist. # The blacklist is reset when krb5.conf is reloaded. You can add # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is # reloaded whenever a JAAS authentication is attempted. # # Example, # krb5.kdc.bad.policy = tryLast # krb5.kdc.bad.policy = tryLess:2,2000 krb5.kdc.bad.policy = tryLast

EVALUATION http://hg.openjdk.java.net/jdk7/tl/jdk/rev/6a80c535f02e *** (#1 of 1): [ UNSAVED ] ###@###.###