RFR 8078439: Kerberos auth fails if client proposes MS krb5 OID

Weijun Wang weijun.wang at oracle.com
Sat Apr 25 04:19:37 UTC 2015

Hi All

Please review a fix at


This is a regression triggered by JDK-8048194. In SPNEGO, a client might 
send NegTokenInit with OIDs being {MS_KRB5_OID, KRB5_OID} along with a 
krb5 AP-REQ as mechToken. Java did not understand MS_KRB5_OID but before 
JDK-8048194 it blindly accepted the mechToken and everything just went 
on fine. After JDK-8048194, it rejects the unknown OID and cannot 
establish a security context.

The fix adds a tweak to recognize the MS_KRB5_OID.


Can you try out the patch on jdk8u?


More information about the security-dev mailing list