How to use Java with Kerberos

Article #: Product Castle
1733 All All


Java does not support Kerberos and therefore may not work with the proxy.

This article describes how to force Java through a different proxy, other than the system settings proxy.


Oracle Java supports NTLM authentication through proxies but does not support Kerberos.

Given the widespread use of Java applets in web sites, this can make switching to Kerberos difficult


  1. Configure Kerberos authentication on the primary proxy port but also create a secondary port running NTLM authentication — see
  2. Use group policy to deploy a .config file to each workstation to:
  3. %WinDir%\Oracle\Java\Deployment\deployment.config

  4. This file should contain two lines:
    • deployment.system.config="http://<YOUR-INTRANET-SERVER>/"
    • (URL to deployment file hosted on a web server)

    • deployment.system.config.mandatory=false
    • (Set to true to enforce settings — Java will not run if it cannot fetch the deployment file)

  5. Create a file to a web server accessible to all clients (typically, an internal intranet server).
  6. This file will contain any options you wish to configure for Java.

  7. Add the following to to force Java to use a different proxy than the browser:
    • deployment.proxy.bypass.list=<local_addresses_to_bypass_proxy>
    • (For example, deployment.proxy.bypass.list=",smoothwall,smoothwall.local")

    • deployment.proxy.bypass.local=true
    • (For example,

    • deployment.proxy.http.port=<port_for_NTLM_authentication_policy>
    • (For example, deployment.proxy.http.port=9090)

    • deployment.proxy.type=1
    • deployment.proxy.same=true

Tip: Use the same address and port for HTTPS/FTP traffic.

Note: If you are hosting the file on an IIS web server, ensure you have added a text mime type for .properties files otherwise the server will refuse to serve it. Further technical details on deploying Java can be found here:


Last updated: Author: Contributions by:
23 August 2016   DMT