RFR 8132111: Do not request for addresses for forwarded TGT

Weijun Wang weijun.wang at oracle.com
Wed Jul 22 03:22:46 UTC 2015

Hi All

Please review the code change at


Java Kerberos was designed to provide the addresses of a service when 
requesting for a forwarded TGT. However, the field was never filled, 
because of a bug that the service principal does not have the 
KRB_NT_SRV_HST nameType. (It has always been KRB_NT_UNKNOWN).

In JDK-8031111, we "fixed" this and the addresses field is now always sent.

However, it is well known in the Kerberos community that it's difficult 
to get the correct addresses. For example, the service and the client 
might be inside a NAT but the KDC is not. If the addresses observed by 
the client and the KDC are different, such a ticket will be rejected 
when the service is trying to use it.

For this reason, other krb5 vendors do not use the addresses field in a 
forwarded TGT request. We will remove it in this fix. This is also the 
actual behavior of Java before JDK-8031111.


More information about the security-dev mailing list