My application authenticates users via Active Directory Kerberos. I'm using kerb4j, https://github.com/bedrin/kerb4j, which ultimately uses sun.security.krb5 code. When my application attempts authentication, I see the following in stdout (after specifying VM arg sun.security.krb5.debug=true):
>>> KrbKdcReq send: kdc=server123.myserver.com. UDP:88, timeout=30000, number of retries =3, #bytes=1542
>>> KDCCommunication: kdc=server123.myserver.com. UDP:88, timeout=30000,Attempt=1, #bytes=1542
SocketTimeOutException with attempt: 1
>>> KDCCommunication: kdc=server123.myserver.com. UDP:88, timeout=30000,Attempt=2, #bytes=1542
SocketTimeOutException with attempt: 2
>>> KDCCommunication: kdc=server123.myserver.com. UDP:88, timeout=30000,Attempt=3, #bytes=1542
SocketTimeOutException with attempt: 3
Where are timeout and number of retries specified? Is this a KDC property specified on the AD servers? Can it be configured at the application level? If so, how?
Timeout and number of retries is hard-coded in GSSAPI on the application server, not in Active Directory. UDP is being blocked by firewalls somewhere along the path. Just make your application use TCP port to communicate with Kerberos, instead of UDP. You can do this by editing /etc/krb5.conf on the application server:
[libdefaults] udp_preference_limit =1