Kerberos auth with java times out on external network

Question

I followed this article to create a java program for testing kerberos authentication: https://docs.oracle.com/javase/jndi/tutorial/ldap/security/gssapi.html

The only thing I changed were the configuration files.

The program works fine when I point the DNS settings of my windows client to my internal windows DNS/Kerb server but it times out when I use a separate public DNS server, even though: 1. My internal server has ports tcp/udp 88 open 2. My external server has the SRV records needed (_kerberos._tcp and _kerberos._udp on port 88) 3. I'm able to achieve kerberos authentication, with and without a user certificate, using my iPad which is not using my windows server's DNS

Both the iPad and my other clients are using the same network (my home wifi) and I've also tried by sharing out the data connection from my cell phone.

Given #3 above and the fact that the java program works from a client that uses my internal DNS, I'm a bit baffled as to why my java program wouldn't work in both scenarios (i.e. using the internal or external DNS server).

Do you have any suggestions?

Answer 1

From GitBook Hadoop and Kerberos: The Madness Beyond the Gate section Error Messages to Fear

Switching Kerberos to use TCP rather than UDP makes [some bizarre issues] go away ...
Note also UDP is a lot slower to time out ... Kerberos waits ~90 seconds before timing out, which is a long time to notice there's a problem ...

In /etc/krb5.conf

[libdefaults]
  udp_preference_limit = 1

PS: the "~90 seconds before timing out" may refer specifically to the Java-specific defaults i.e.

kdc_timeout = 30000
max_retries = 3

---

Generally speaking, UDP seems to be a root cause for many weird Kerberos issues, cf. How to save Kerberos Service Ticket using a Windows Java client? for instance.
Disabling it systematically might be a "good practise".