Summary

Java decodes KerberosString using ASCII by default. It should be UTF-8 now.

Problem

KerberosString was defined to be GeneralString (IA5String) in RFC 4120, which should only contain the first 128 characters of ASCII. However, the RFC also acknowleges there are "Other implementations have been known to use GeneralString to contain a UTF-8 encoding". It even anticipates that "Future revisions to this protocol will almost certainly allow for a more interoperable representation of principal names, probably including UTF8String."

While there is no such a "future revision" yet, krb5 vendors are starting to use UTF-8. We introduced a system property ("sun.security.krb5.msinterop.kstring") back in JDK-6862679 to interop with Windows. When this system property is set to "true", UTF-8 is used. The default value is still "false" as of today.

It should be "true" now. MIT krb5, the reference implementation of Kerberos, is using UTF-8.

Solution

Change the default value of "sun.security.krb5.msinterop.kstring" to "true".

Specification

This is a private system property.