JBoss Negotiate

Thomas Maslen Thomas.Maslen at quest.com
Sat Mar 14 22:20:36 EDT 2009

Let me guess...  you're probably running JBoss on a Windows machine that is joined to the Active Directory domain?

If so, then the problem is:  you have got your SPN mappings wrong.  (i.e. the hostname in the URL that you are using in the browser doesn't match any SPN mapping that you have set up).

So, when the browser asks AD for a Kerberos service ticket to HTTP/foo.example.com, AD doesn't find an explicit SPN mapping on your service object, so it doesn't use your service object.  If AD doesn't find an explicit SPN mapping for HTTP/foo.example.com, it implicitly maps HTTP/foo.example.com to the AD Computer object for foo.example.com (equivalently, HOST/foo.example.com).  This works nicely for Microsoft IIS but for other SPNEGO implementations it produces the rather nonobvious error that you are seeing at present.

More information about the Kerberos mailing list