On 05/15/2017 06:43 AM, Matt Darwin wrote: > So it looks like the client is sending > > oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com > > as the SnameString (presumably the SPN), when it should be sending: > > d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com
I don't appear to have access to your DNS information from here. My guess is that oc-10-252-134-51.nat-ucfc2z3b.usdv1.mycloud.com is the result of a PTR query on the IP address of the server, while d59407.ddapoc.ucfc2z3b.usdv1.mycloud.com is the preferred forward record name. If I'm right about that, what you're looking for is a way to get the JVM Kerberos implementation to suppress the reverse DNS lookup when canonicalizing the server name. In MIT krb5, that would be accomplished with the "rdns" setting in krb5.conf; for details, see: http://web.mit.edu/kerberos/krb5-latest/doc/admin/princ_dns.html It's possible that the same setting might work for the Java implementation, but I'm not certain. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
