kerberos / spnego

miten mehta imiten at
Wed Oct 10 03:12:16 EDT 2012

Hi Benjamin,

I configured firefox for no sspi and also added domain to network.negotiate-auth.trusted-uris and then when I try reaching a page I get in catalina log: - - [10/Oct/2012:12:30:33 +0530] "GET /jsf-sso/supervisor_teller.xhtml HTTP/1.1" 401 5

It shows nothing more.  I do not see any ticket send from browser to tomcat and no auth request made by tomcat to kdc.

When I use IE with setting of host added to local intranet it no more prompts for user/pass but then the catalina logs show that it has issue of token:

Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)



 From: Benjamin Kaduk <kaduk at MIT.EDU>
To: miten mehta <imiten at> 
Cc: "kerberos at" <kerberos at MIT.EDU> 
Sent: Wednesday, October 10, 2012 2:51 AM
Subject: Re: kerberos / spnego
On Mon, 8 Oct 2012, miten mehta wrote:

> Hi Booker,
> I am using Internet Explorer 9 and assume it should be configured already for spnego.  The webapp as such has to do some auth prompting so I guess it starts out dong jaas based basic auth.  I am just following pretty much the article at spring security and their samples.

I've had a much easier time getting firefox to do SPNEGO than IE9.
If you are using an external kerberos (MIT or heimdal) you will need to tell firefox to disable sspi (in about:config).  Both IE and firefox need to be told which sites they are permitted to use negotiate auth against, though -- firefox has a negotiate.trusted-uris entry in about:config, and IIRC IE needs hostnames configured to be in the local intranet zone.

In my own testing, I was only ever able to get IE9 to do SPNEGO if I explicitly inserted the correct service ticket into the MSLSA cache manually, or if the machine was joined to an AD domain.

-Ben Kaduk

More information about the Kerberos mailing list