The kdc_timeout value configured in the krb5.conf file is not being honoured when using TCP to communicate with a KDC. This can lead to lengthy delays and result in slow failover. Also the sun.security.krb5.internal.TCPClient throwing a SocketTimeoutException is not handled, which means the KDC servers are not retried. This behaviour is inconsistent with the UDP communication equivelent.

Steps to reproduce:

1) Firewall off the master KDC from your client device (DROP packets)
2) Enable -Dsun.security.krb5.debug=true when starting your java app.
3) Perform a login() using the Krb5LoginModule to the realm whose master KDC is uncontactable.
4) With UDP, the debug messages will show the 30 secs timeout and the 3 retries to the unavailable KDC. Then failover to the secondary KDC.
5) Add "udp_preference_limit = 1" into [libdefaults] in your krb5.conf file
6) Retry step #3
7) With TCP forced, the debug messages will show the 30 secs timeout not being honoured (this part now becomes system dependent), and also the 3 retries are not performed as the SocketTimeoutException from the connect() is not being handled correctly.

On an ubuntu 10.04 workstation using JDK 6u20, the TCP connection automatically times-out after 15 seconds and no retries take place.

On a SPARC Solaris 10 server using JDK6u20, the TCP connection takes around to 3.5 minutes to timeout. This results in extremely slow logins.