Description
If you specify the kdc to use, Java will cache that from the system property and you cannot change it while the JVM is running.
System.setProperty("java.security.krb5.realm", Config.retrieveConfig()
.propertyValueString("kerberos.realm"));
System.setProperty("java.security.krb5.kdc", Config.retrieveConfig().propertyValueString("kerberos.kdc.address"));
Those would be: UPENN.EDU and kerberos1.upenn.edu
However, you can instead use the krb5.conf file with Java Kerberos. It looks for it on the system, or you could specify it. I guess we should just specify it or put it in the connectStrings folder:
File krb5confFile = FastFileUtils.fileFromResourceName("krb5.conf");
if (krb5confFile == null)
{ throw new RuntimeException("Cant find krb5.conf!"); }System.setProperty("java.security.krb5.conf", krb5confFile.getAbsolutePath());
Then you can specify multiple kdcs in the krb5.conf:
[libdefaults]
default_realm = UPENN.EDU
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
UPENN.EDU =
And now it will failover when one is not available (I put in the wrong address, and it worked):
default etypes for default_tkt_enctypes: 16 1.
default etypes for default_tkt_enctypes: 16 1.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=kerberos0.upenn.edu UDP:88, timeout=30000, number of retries =3, #bytes=178
>>> KrbKdcReq send: kdc=kerberos1.upenn.edu UDP:88, timeout=30000, number of retries =3, #bytes=178
>>> KDCCommunication: kdc=kerberos1.upenn.edu UDP:88, timeout=30000,Attempt =1, #bytes=178
>>> KrbKdcReq send: #bytes read=292
>>> KrbKdcReq send: #bytes read=292
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
cTime is Fri Oct 19 14:49:57 EDT 2012 1350672597000
sTime is Fri Oct 19 14:49:57 EDT 2012 1350672597000
suSec is 234094
error code is 25
error Message is Additional pre-authentication required
crealm is UPENN.EDU
cname is penngroups_activemq_test/medley.isc-seo.upenn.edu
realm is UPENN.EDU
sname is krbtgt/UPENN.EDU
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 16
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 16
>>>Pre-Authentication Data:
PA-DATA type = 13
KRBError received: NEEDED_PREAUTH
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
default etypes for default_tkt_enctypes: 16 1.
Pre-Authentication: Set preferred etype = 16
>>>KrbAsReq salt is UPENN.EDUpenngroups_activemq_testmedley.isc-seo.upenn.edu
Pre-Authenticaton: find key for etype = 16
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=kerberos0.upenn.edu UDP:88, timeout=30000, number of retries =3, #bytes=262
>>> KrbKdcReq send: kdc=kerberos1.upenn.edu UDP:88, timeout=30000, number of retries =3, #bytes=262
>>> KDCCommunication: kdc=kerberos1.upenn.edu UDP:88, timeout=30000,Attempt =1, #bytes=262
>>> KrbKdcReq send: #bytes read=657
>>> KrbKdcReq send: #bytes read=657
>>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
>>> KrbAsRep cons in KrbAsReq.getReply penngroups_activemq_test/medley.isc-seo.upenn.edu
default etypes for default_tkt_enctypes: 16 1.
true