--- old/src/share/lib/security/java.security-windows	2014-06-24 15:54:44.000000000 +0800
+++ new/src/share/lib/security/java.security-windows	2014-06-24 15:54:44.000000000 +0800
@@ -379,33 +379,6 @@
 # Example,
 #   ocsp.responderCertSerialNumber=2A:FF:00
 
-#
-# Policy for failed Kerberos KDC lookups:
-#
-# When a KDC is unavailable (network error, service failure, etc), it is
-# put inside a blacklist and accessed less often for future requests. The
-# value (case-insensitive) for this policy can be:
-#
-# tryLast
-#    KDCs in the blacklist are always tried after those not on the list.
-#
-# tryLess[:max_retries,timeout]
-#    KDCs in the blacklist are still tried by their order in the configuration,
-#    but with smaller max_retries and timeout values. max_retries and timeout
-#    are optional numerical parameters (default 1 and 5000, which means once
-#    and 5 seconds). Please notes that if any of the values defined here is
-#    more than what is defined in krb5.conf, it will be ignored.
-#
-# Whenever a KDC is detected as available, it is removed from the blacklist.
-# The blacklist is reset when krb5.conf is reloaded. You can add
-# refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
-# reloaded whenever a JAAS authentication is attempted.
-#
-# Example,
-#   krb5.kdc.bad.policy = tryLast
-#   krb5.kdc.bad.policy = tryLess:2,2000
-krb5.kdc.bad.policy = tryLast
-
 # Algorithm restrictions for certification path (CertPath) processing
 #
 # In some environments, certain algorithms or key lengths may be undesirable