kerberos / spnego

miten mehta imiten at
Tue Oct 9 01:21:26 EDT 2012


I am using jdk 1.7 on win 7 and jdk 1.6 on debian.



 From: Booker Bense <bbense at>
To: miten mehta <imiten at> 
Cc: "kerberos at" <kerberos at> 
Sent: Monday, October 8, 2012 7:44 PM
Subject: Re: kerberos / spnego
On Mon, Oct 8, 2012 at 5:21 AM, miten mehta <imiten at> wrote:
> Hi,
> I have attempted kerberos for SSO for web app using spring-security and have doubts.  would appreciate if one can take look at my post here and advise.

If the software is really capable of doing SPENGO, you should never
need to enter your password into the web application. That's the whole
Most browsers need some configuration tweaks to enable SPENGO, I think
only Explorer will do it out of the box. If the web app has
a valid keytab and support for SPENGO, it should never need to talk to the KDC.

It looks like what is really happening is that the software is
attempting to use some form of basic auth where it requests a
and uses kerberos to verify the password. The error message you are
seeing suggests that the kerberos library it's using doesn't have
support for PRE-AUTH ( old version of Java?)

If you want support for kerberos in Java, you should be using at least
1.6. Most prior versions have very broken kerberos support.

If you're willing to live with username/pw on the web application,
then you'll likely have better luck using LDAP rather than kerberos.

- Booker C. Bense

More information about the Kerberos mailing list