Curently, AS-REQ acts like this:
try {
send AS-REQ and wait for AS-REP
} catch (KRB-ERROR needs PREAUTH) {
send AS-REQ with PREAUTH and wait for AS-REP
}
and the send-wait process looks like:
for (all KDCs configed) {
for (try 3 times) {
try {
send AS-REQ and wait for AS-REP
return
} catch (IOError) {
continue
}
}
}
The two processes are independent, which means when the first configured KDC is not accessible anymore, something like this is performed:
1. Send AS-REQ to KDC1
2. Send AS-REQ to KDC1
3. Send AS-REQ to KDC1
4. Send AS-REQ to KDC2
KDC2 replies: KRB-ERROR needs PREAUTH
5. Send AS-REQ with PREAUTH to KDC1
6. Send AS-REQ with PREAUTH to KDC1
7. Send AS-REQ with PREAUTH to KDC1
8. Send AS-REQ with PREAUTH to KDC2
KDC2 replies: AS-REP
Here, request #5-#7 is a waste of time.
Suggestion: maintaining a list of KDCs with the initial order according to config. When any of them is not accessible at run time, move it to the last place.