Why kerberos authentication in Java does not support direct IP access or host alias access

Question

My computer(Windows, JDK7 update 21 x64), such as mybox.domain2.company.com, is connected to a domain of my company. I can access a site in three different urls:

http://mysite.domain1.company.com

or

http://XXX.XXX.XXX.XXX(ip format)

or

http://mysitealias

via negotiate authentication in IE, Firefox, etc. Here domain1.company.com and domain2.company.com are two domains in my company. This site is placed in IIS 7, and its authentication is "Negotiate".

After googling and configuring kerberos, I can use URLConnection in java to access

http://mysite.domain1.company.com

. However, I can use IP or host alias in browsers to do that, but not in Java. Can anyone achievie direct IP access or host alias access?

krb5.conf:

[libdefaults]
    default_realm = DOMAIN2.COMPANY.COM
    default_tkt_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 des-cbc-crc
[domain_realm]
    .domain1.company.com = DOMAIN1.COMPANY.COM
    .domain2.company.com = DOMAIN2.COMPANY.COM

login.conf:

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required;
};

(Please note all host names are just given out for example.)

Answer 1

Kerberos is not designed to work on IP addresses. Stick to hostnames only.