Toni Toni - 1 year ago 67
Java Question

Apache Http Client 4.5.2 Kerberos authentication takes too long

I use apache http client for Kerberos authentication. I have the following problem:
between the 401 ad 200 responses from the server it takes between 90 and 300 seconds, depending on the request.

I tried to set the connection timeout, socket timeout and connection manager timeout without any result.

Wireshark tells me following:

after 401 response from server:

client -> ACK
server -> FIN, ACK
client -> ACK

-- break between 90 to 300 seconds --

client -> GET url
server -> RST

from here starts the 200 response, everything ok. I do not understand why apache http client does not close the connection and reopens a new one, why it takes so long?

Any help would be appreciate.

There are more KDC Servers and not everyone is available, the reason for the delay is the max_retries 3, and 30 second per request timeout.
I tries to configure krb5.conf file, but it seems that Kerberos does not consider this:

kdc_timeout = 2000
max_retries = 1

Answer Source

I've enabled the Kerberos-Logging (redirect System.out and System.err into a file) - and discover that not all KDCs respond to my client, therefore the not responding ones delayed the response with 30 sec. x 3 tries = 90 sec. per not responding KDC.

Solved by setting in the configuration file:

max_retries = 1 kdc_timeout = 1500 (milliseconds)

Update: the path to the Kerberos config file was in URI format, which did not work, so I use the absolute path.