473 # krb5.kdc.bad.policy = tryLess:2,2000 |
473 # krb5.kdc.bad.policy = tryLess:2,2000 |
474 # |
474 # |
475 krb5.kdc.bad.policy = tryLast |
475 krb5.kdc.bad.policy = tryLast |
476 |
476 |
477 # |
477 # |
|
478 # Kerberos cross-realm referrals (RFC 6806) |
|
479 # |
|
480 # OpenJDK's Kerberos client supports cross-realm referrals as defined in |
|
481 # RFC 6806. This allows to setup more dynamic environments in which clients |
|
482 # do not need to know in advance how to reach the realm of a target principal |
|
483 # (either a user or service). |
|
484 # |
|
485 # When a client issues an AS or a TGS request, the "canonicalize" option |
|
486 # is set to announce support of this feature. A KDC server may fulfill the |
|
487 # request or reply referring the client to a different one. If referred, |
|
488 # the client will issue a new request and the cycle repeats. |
|
489 # |
|
490 # In addition to referrals, the "canonicalize" option allows the KDC server |
|
491 # to change the client name in response to an AS request. For security reasons, |
|
492 # RFC 6806 (section 11) FAST scheme is enforced. |
|
493 # |
|
494 # Disable Kerberos cross-realm referrals. Value may be overwritten with a |
|
495 # System property (-Dsun.security.krb5.disableReferrals). |
|
496 sun.security.krb5.disableReferrals=false |
|
497 |
|
498 # Maximum number of AS or TGS referrals to avoid infinite loops. Value may |
|
499 # be overwritten with a System property (-Dsun.security.krb5.maxReferrals). |
|
500 sun.security.krb5.maxReferrals=5 |
|
501 |
|
502 # |
478 # Algorithm restrictions for certification path (CertPath) processing |
503 # Algorithm restrictions for certification path (CertPath) processing |
479 # |
504 # |
480 # In some environments, certain algorithms or key lengths may be undesirable |
505 # In some environments, certain algorithms or key lengths may be undesirable |
481 # for certification path building and validation. For example, "MD2" is |
506 # for certification path building and validation. For example, "MD2" is |
482 # generally no longer considered to be a secure hash algorithm. This section |
507 # generally no longer considered to be a secure hash algorithm. This section |