Java SE Ver 7 Uxx locking out domain user account failing Kerberos PreAuth
mxm323Jun 4 2013 — edited Oct 28 2013Java SE Ver 7 all updates are failing Kerberos Pre_Auth and locking domain user accounts because of truncated UDP packets.
When a user opens a page that uses JavaScript their domain account gets a bad password, subsequent openings in the lockout threshold window (5 in 30 minutes for us) results in a domain account lockout.
I have done extensive troubleshooting of this issue and have root caused and been able to prevent it with a less desirable solution. Oracle fixes for the bug below (basically same issue) do not work for me or i'm implementing them incorrectly.
This effects XP\Win7 (32Bit browsers with IE 8 and 9).
Java SE Ver 7 U21 and lesser updates are failing Kerberos Pre_Auth (KRB5KDC_ERR_PREAUTH_FAILED)due to the use of UDP instead of TCP. Starting with the SRV request, UDP exceeds MTU and gets truncated enroute to the KDC. This results in the eventual response from the KDC as bad credential and eventual account lockout if user repeats call for Java.
We have been able to force TCP by blocking UDP 88 on a test station's windows firewall. This prevents the bad password, but injects a delay while kerberos times out UDP and fails to TCP.
Java BUG 8009875 lists the "udp_preference_limit=1" value that forces Java to use TCP, but i can't get this working with a KRB5.config or KRB5.ini file in the c:\windows directory. Even utilizing an environment variable KRB5_CONFIG does not work.
Our expected result is to force Java 7 to use TCP for Kerberos transactions and not UDP. This will be a stop gap until the release of Version 8 next year, which BUG 8009875 says corrects the default UDP call to TCP.