IC98630: KERBEROS TCP REQUESTS TO MIT KDC MIGHT FAIL DUE TO CONNECTION REUSE
Fixes are available
Fix packs for DataPower XML Security Gateway version 6.0
Fix packs for DataPower B2B Appliance version 6.0
Fix packs for DataPower Integration Appliance version 6.0
Fix packs for DataPower Low Latency Appliance version 6.0
Fix packs for DataPower Service Gateway version 6.0
Fix packs for DataPower Service Gateway version 6.0.1
Fix packs for DataPower B2B Appliance version 6.0.1
Fix packs for DataPower Integration Appliance version 6.0.1
Closed as program error.
On DataPower version 6.0.0, the Kerberos client attempts to re-use its TCP connection to the KDC when multiple rounds of request/response are required during a ticket fetch such as when pre-authentication is required. In the event that the KDC server does not support TCP connection reuse this might cause the ticket fetch and the AP-REQ token generation to fail. The failure looks like this in the DataPower logs: [0x8140001b][kerberos][error] mpgw(sample_mgw): tid(1234)[request][22.214.171.124]: get-apreq: network error receiving reply from Kerberos KDC The two most common KDC implementations are Microsoft Active Directory and MIT Kerberos. The MIT Kerberos KDC does not support TCP connection reuse and triggers this problem. Microsoft Active Directory KDC does support TCP connection reuse and does not trigger this problem. The Kerberos specification does not require a KDC to support TCP connection reuse, so other KDC implementations not mentioned here might also trigger this problem.
Configure the Kerberos client to use UDP (instead of TCP) or to disable pre-authentication on the KDC for this principal. Alternatively, use a KDC that supports TCP connection reuse.
A DataPower Kerberos client sending an AP-REQ to an MIT KDC while using TCP might receive a network error.
Fix is available in 126.96.36.199 and 188.8.131.52. For a list of the latest fix packs available, please see: http://www-01.ibm.com/support/docview.wss?uid=swg21237631
Reported component name
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
Fixed component ID
Applicable component levels