I have the same problem and all days I must unlock users account when they use Java application !
I test to block UDP port 88 with the Firewall but they is a time out like you describe.
Did you find another better solution ?
We have the same problem - an application that can run via web start or as an applet, under win xp/ win 7, that reads data from a URL with authentication. It worked perfectly under java 6, under 7 it locks accounts after 5-20 data reads. Any fix that anyone has?
Have this issue after rollout to JRE 7. Try the following:
Initial testing shows this fixes the issue. However, still need to examine potential security impact.
As noted below, this should not be a string, but a DWORD.
This does seem to work thank you! Can't be 100% certain as locking was intermittent, but I tried many more times than would 'normally' be required to cause account locking, without issue.
It doesn't work for me :-(
The only thing who work, is to check "Do not require Kerberos preauthentication" in Active Directory user account. But I don't want to check this option for all my users !
Now it works !!!
The key (allowtgtsessionkey) must be a REG_DWORD and not a REG_SZ !
Thank you very much William_D :-)
I had this same issue. My fix was to create a custom jass config file that specific to not use the local tgt cache.
If you would like I could provide you with this setup. 1.7 uses GSS/SPNEGO as the first method of auth, this will essentially disable this method of single-sign on.
- GSS/SPNEGO -> Digest -> NTLM -> Basic
It looks like you got a fix so this post could be worthless
In fact we encounter the same issue in our environment, and somehow changing the Kerberos PreAuth setting did not resolve the issue. As I am not a Java expert, can you give more details on where and how to setup the 'HTTP Authentication' setting which you have mentioned earlier. Can you provide a sample of custom JSS Config File which you have mentioned for me to use in my environment? Where should I put the JSS config file? Your assistance on this is truly appreciated.
Thanks and best regards,
Can you kindly verify what is the DWORD value which you have set for the registry key (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters\allowtgtsessionkey) which resolve your issue?
Is it 0 or 1? I have tried to use different values (0 and 1) on different users, but the Java/Windows lockout issue still remains.
Thansk and regards,
yes, do share as the registry workaround exposes a security vulnerability.
Another workaround I have found is to open c:\Program Files (x86)\Java\jre7\lib\security\java.security and comment in line 88:
Obviously, there is no jass config file yet so I don't understand why when no jass.config file is found that this works around the problem.
Try out the following workaround as suggested earlier:
Create a new registry key as follows under
Value Name: allowtgtsessionkey
Value Type: REG_DWORD