Reputation: 11
Kerberos authentication stops after the AS-REP stage
I'm running a Tomcat 8 web server. I wanted to force the users to use Kerberos SSO authentication. so I disabled all NTLM communication on the server.
On my debug environment, everything runs smoothly using this guide. When moving to my production, using a different domain and server, the authentication fails.
While comparing the wireshark results on clients of the two environments, I noticed that successfully connecting to the server contains the following packets:
HTTP GET (client -> sever)
HTTP 401 Unauthorized (server -> client) (WW-Authenticate: Negotiate)
AS-REQ (client -> DC)
KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (DC -> client) (I understand that this is normal?)
AS-REQ (client -> DC)
AS-REP (DC -> client)
TGS-REQ (client -> DC)
TGS-REP (DC -> client)
On my production environment, using similar client-side and server-side configurations (as far as I know), the client stops after the AS-REP packet, and instead of requesting a ticket with a TGS-REQ packet, immediately sending a HTTP GET NTLMSSP_NEGOTIATE packet
I can't find the reason for this to happen. I've compared the similar packets between the two clients and I can't find any differences. It looks like the client just gives up after receiving the AS-REP from the server and instead of requesting a kerberos ticket, just decides to use NTLM authentication.
I turned on kerberos logging and I receive no errors, and there are no packets between the AS-REP and the NTLM request (except for a TCP FIN packet to the DC)
Does anyone know what could cause such a problem? I've been looking everywhere and can't seem to find much information about this issue.
Upvotes: 1
Views: 4765
Answers (1)
Reputation: 1649
KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED (DC -> client) - this is normal. It's because preauthentication is turned on, by default, to increase security. Client first sends AS-REQ without preauth, and if such request is rejected, sends AS-REQ again, with preauth.
When you're modifying configuration, for example to troubleshoot Kerberos issues, remember to always clean Kerberos cache before running another test. Otherwise you'll be frustrated that you're changing configuration, but can't see effects - all because cached Kerberos tickets will be used. You can use KerbTray to purge cache.
Why NTLM? Because AD can't find user with requested SPN. For http servers it should look like: HTTP/@REALM. AD must find exactly one user, because it needs his/her password to generate TGS.
Upvotes: 1
Related Questions
- Spnego Kerberos Authentication gives "Request is a replay (34)" error for Windows 7 users
- Tomcat integrated Windows authentication: Client not found in Kerberos database
- Java client hangs when kerberos ticket expires
- Tomcat Kerberos Spnego authorization not working
- Tomcat internet explorer kerberos authentication 401 un authorized
- Kerberos authentication not working with spring security
- Kerberos/Spnego authentication issue after password change
- Kerberos authentication not running when client and server on same machine
- BadCredentialsException: Kerberos validation not succesfull
- Tomcat authentication using SPNEGO/Kerberos and delegation