1. Security Developer’s Guide
  2. Java Generic Security Services (Java GSS-API)
  3. The Kerberos 5 GSS-API Mechanism
  4. Kerberos System Properties, Security Properties, and Environment Variables

Kerberos System Properties, Security Properties, and Environment Variables

The following table lists system properties, security properties, and environment variables related to Kerberos.

Note:

Some properties are both a security property and a system property. If you set a value for the system property, then it overrides any value set as a security property. See How to Specify a java.lang.System Property and How to Specify a java.security.Security Property.

Table 7-2 Kerberos Properties and Environment Variables

Name Type Description Default Value
KRB5CCNAME Environment variable Specifies the complete path name to the Kerberos credentials cache (CC) file. The default value is operating system-dependent. For Linux and macOS, it is /tmp/krb5cc_userid
LOGONSERVER Environment variable On Windows, the default KDC if a krb5.conf file cannot be found or it does not contain settings for the default realm's KDC. See Locating the krb5.conf Configuration File See Locating the krb5.conf Configuration File
USERDNSDOMAIN Environment variable On Windows, the default realm if a krb5.conf file cannot be found or it does not contain settings for the default realm. See Locating the krb5.conf Configuration File. See Locating the krb5.conf Configuration File
jdk.security.krb5.default.initiate.credential Security property and system property

Specifies the policy for the proxy_impersonator Kerberos ccache configuration entry.

The proxy_impersonator ccache configuration entry indicates that the ccache is a synthetic delegated credential for use with the Service for User to Proxy (S4U2proxy) Kerberos extension by an intermediate server. The ccache file should also contain the Ticket Granting Ticket (TGT) of this server and an evidence ticket from the default principal of the ccache to this server.

The value of this security property determines how Java uses this configuration entry. It can have one of the following values:

  • no-impersonate: Ignore this configuration entry, and always act as the owner of the TGT (if it exists).
  • try-impersonate: Try impersonation when this configuration entry exists. If no matching TGT or evidence ticket is found, fallback to no-impersonate.
  • always-impersonate: Always impersonate when this configuration entry exists. If no matching TGT or evidence ticket is found, no initial credential is read from the ccache.
always-impersonate
jdk.security.krb5.name.case.sensitive Security property and system property

If true, then the comparison of principal names during keytab and credentials cache (ccache) entry lookup is case-sensitive. The default value is false to ensure backward compatibility.

When looking up a keytab or ccache entry for a Kerberos principal, the principal name is compared with the entry name in a case-insensitive manner. However, many Kerberos implementations treat principal names as case-sensitive. As a result, if two principals have names that differ only by case, there is a risk of selecting the incorrect keytab or ccache entry.

false
jdk.security.krb5.s4u2proxy.acceptNonForwardableServiceTicket Security property and system property

Specifies the policy for a nonforwardable service ticket in a S4U2proxy request.

The Service for User to Proxy (S4U2proxy) Kerberos extension enables a middle service to obtain a service ticket to another service on behalf of a user. It requires that the user's service ticket to the first service has the forwardable flag set. However, some KDC implementations ignore this requirement and accept service tickets with the flag unset.

If this security property is set to true, then:

  • The user service ticket, when obtained by the middle service after a S4U2self impersonation, is not required to have the forwardable flag.
  • If a S4U2proxy request receives a KRB_ERROR of the KDC_ERR_BADOPTION error code and the ticket to the middle service is not forwardable, then the JDK will try the same request with another KDC instead of treating it as a fatal failure.
 false
krb5.kdc.bad.policy Security property and system property

Specifies the policy for failed Kerberos KDC lookups. When a KDC is unavailable (because of, for example, a network error or service failure), it is put inside a secondary list and accessed less often for future requests.

The value of this security property can be one of the following:

  • tryLast: KDCs in the secondary list are always tried after those not on the list. Example:

    krb5.kdc.bad.policy = tryLast

  • tryLess[:max_retries,timeout]: KDCs in the secondary list are still tried by their order in the configuration, but with smaller max_retries and timeout values. max_retries and timeout are optional numerical parameters (default 1 and 5000, which means once and 5 seconds). Note that if any of the values defined here are more than what is defined in krb5.conf, they will be ignored. Example:

    krb5.kdc.bad.policy = tryLess:2,2000

Whenever a KDC is detected as available, it is removed from the secondary list. The secondary list is reset when krb5.conf is reloaded. You can add refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is reloaded whenever a JAAS authentication is attempted.

tryLast
sun.security.krb5.disableReferrals Security property and system property

Disable Kerberos cross-realm referrals.

The JDK's Kerberos client supports cross-realm referrals as defined in RFC 6806: Kerberos Principal Name Canonicalization and Cross-Realm Referrals. This allows to setup more dynamic environments in which clients do not need to know in advance how to reach the realm of a target principal (either a user or service).

When a client issues a Kerberos Authentication Service (AS) or a Ticket-Granting Service (TGS) request, the "canonicalize" option is set to announce support of this feature. A KDC server may fulfill the request or reply referring the client to a different one. If referred, the client will issue a new request and the cycle repeats.

In addition to referrals, the "canonicalize" option allows the KDC server to change the client name in response to an AS request. For security reasons the FAST scheme is enforced. See RFC 6806, section 11, "Negotiation of FAST and Detecting Modified Requests."

 false
sun.security.krb5.maxReferrals Security property and system property

Maximum number of AS or TGS referrals to avoid infinite loops.

 5
java.security.krb5.conf System property

Specifies the location of the krb5.conf file. See Locating the krb5.conf Configuration File for more information.

None
java.security.krb5.kdc System property

Specifies the default KDC for the default realm specified by java.security.krb5.realm. See Setting Properties to Indicate the Default Realm and KDC for more information.

None
java.security.krb5.realm System property

Specifies the default realm. See Setting Properties to Indicate the Default Realm and KDC for more information.

None