Kerberos System Properties, Security Properties, and Environment Variables
The following table lists system properties, security properties, and environment variables related to Kerberos.
Note:
Some properties are both a security property and a system property. If you set a value for the system property, then it overrides any value set as a security property. See How to Specify a java.lang.System Property and How to Specify a java.security.Security Property.Table 7-2 Kerberos Properties and Environment Variables
Name | Type | Description | Default Value |
---|---|---|---|
KRB5CCNAME |
Environment variable | Specifies the complete path name to the Kerberos credentials cache (CC) file. | The default value is operating system-dependent. For
Linux and macOS, it is /tmp/krb5cc_userid |
LOGONSERVER |
Environment variable | On Windows, the default KDC if a
krb5.conf file cannot be found or it does not
contain settings for the default realm's KDC. See Locating the krb5.conf Configuration File
|
See Locating the krb5.conf Configuration File |
USERDNSDOMAIN |
Environment variable | On Windows, the default realm if a
krb5.conf file cannot be found or it does not
contain settings for the default realm. See Locating the krb5.conf Configuration File.
|
See Locating the krb5.conf Configuration File |
jdk.security.krb5.default.initiate.credential |
Security property and system property |
Specifies the policy for the proxy_impersonator Kerberos ccache configuration entry. The proxy_impersonator ccache configuration entry indicates that the ccache is a synthetic delegated credential for use with the Service for User to Proxy (S4U2proxy) Kerberos extension by an intermediate server. The ccache file should also contain the Ticket Granting Ticket (TGT) of this server and an evidence ticket from the default principal of the ccache to this server. The value of this security property determines how Java uses this configuration entry. It can have one of the following values:
|
always-impersonate |
jdk.security.krb5.name.case.sensitive |
Security property and system property |
If When looking up a keytab or ccache entry for a Kerberos principal, the principal name is compared with the entry name in a case-insensitive manner. However, many Kerberos implementations treat principal names as case-sensitive. As a result, if two principals have names that differ only by case, there is a risk of selecting the incorrect keytab or ccache entry. |
false |
jdk.security.krb5.s4u2proxy.acceptNonForwardableServiceTicket |
Security property and system property |
Specifies the policy for a nonforwardable service ticket in a S4U2proxy request. The Service for User to Proxy (S4U2proxy) Kerberos extension enables a middle service to obtain a service ticket to another service on behalf of a user. It requires that the user's service ticket to the first service has the forwardable flag set. However, some KDC implementations ignore this requirement and accept service tickets with the flag unset. If this security property is set to
|
false |
krb5.kdc.bad.policy |
Security property and system property |
Specifies the policy for failed Kerberos KDC lookups. When a KDC is unavailable (because of, for example, a network error or service failure), it is put inside a secondary list and accessed less often for future requests. The value of this security property can be one of the following:
Whenever a KDC is detected as available, it is removed
from the secondary list. The secondary list is reset when
|
tryLast |
sun.security.krb5.disableReferrals |
Security property and system property |
Disable Kerberos cross-realm referrals. The JDK's Kerberos client supports cross-realm referrals as defined in RFC 6806: Kerberos Principal Name Canonicalization and Cross-Realm Referrals. This allows to setup more dynamic environments in which clients do not need to know in advance how to reach the realm of a target principal (either a user or service). When a client issues a Kerberos Authentication Service (AS) or a Ticket-Granting Service (TGS) request, the "canonicalize" option is set to announce support of this feature. A KDC server may fulfill the request or reply referring the client to a different one. If referred, the client will issue a new request and the cycle repeats. In addition to referrals, the "canonicalize" option allows the KDC server to change the client name in response to an AS request. For security reasons the FAST scheme is enforced. See RFC 6806, section 11, "Negotiation of FAST and Detecting Modified Requests." |
false |
sun.security.krb5.maxReferrals |
Security property and system property |
Maximum number of AS or TGS referrals to avoid infinite loops. |
5 |
java.security.krb5.conf |
System property |
Specifies the location of the
|
None |
java.security.krb5.kdc |
System property |
Specifies the default KDC for the default realm
specified by |
None |
java.security.krb5.realm |
System property |
Specifies the default realm. See Setting Properties to Indicate the Default Realm and KDC for more information. |
None |