parthdepani / jzebra

Automatically exported from code.google.com/p/jzebra
0 stars 0 forks source link

Kerberos authentication issues on applet load #199

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Reported by a qz-print user:

Applet takes excessive time to load (10 minutes).  Wireshark shows kerberos 
requests timing out.

Wireshark logs seem to indicate that the pages is trying to authenticate to 
kerberos, checking all the internal suffixes in DNS before timeout occurs.  
Eventually the applet prompt shows. The timeout process takes about 10 mins.

Original issue reported on code.google.com by tres.fin...@gmail.com on 12 Dec 2013 at 5:29

GoogleCodeExporter commented 9 years ago

Similar to this technet post:
http://social.technet.microsoft.com/Forums/forefront/en-US/e59c702f-af5b-4d67-bf
e5-d41d854251ea/java-queries-suffixed-domains-in-dns-before-going-to-proxy?forum
=Forefrontedgegeneral

- If Kerberos succeeding would fix this, you may be able to set a krb5.ini  in 
the Windows directory for Java to read.  I have no experience with this and 
there is almost no documentation about this for clients (mostly Java Enterprise 
Edition systems that use this).
https://forums.oracle.com/message/6387311

- If network permits bypassing of proxy, it can be disabled it in the Java 
Control panel (assuming you network access restrictions preventing computers 
from doing this)

- If the timeout is actually caused by the OCSP requests, you may have luck 
with running OCSP Stapling locally.
http://en.wikipedia.org/wiki/OCSP_stapling

- A possible solution is to add exceptions for the machine's IP Address to the 
company firewall.  (not ideal)

- (Again) If OCSP is the cause, one could try disabling OCSP in the Advanced 
tab of the Java Control panel, and/or Do Not Check revocations at all. (not 
ideal)

- Is there a chance PKINIT is using Kerberos to cache OCSPs and in result is 
blocking the OCSP request?
http://tools.ietf.org/html/rfc4557

- Last, a solution may be to offer a second proxy o the environment which uses 
a different authentication method (and set that in the Java Proxy settings). 
(or debug with fiddler, etc)

Original comment by tres.fin...@gmail.com on 12 Dec 2013 at 5:30