Reputation: 4878
Tomcat internet explorer kerberos authentication 401 un authorized
We configured tomcat to work with windows authentication using kerberos (we want SSO).
From a different client machine via Internet Explorer we send HTTP Get, the browser returns 401 and the header say Negotiate.
We configured internet explorer to use Integrated security and added the tomcat site address as local intranet.
On the tomcat logs i see:
Loaded from Java config
>>> KdcAccessibility: reset
>>> KrbCreds found the default ticket granting ticket in credential cache.
>>> Obtained TGT from LSA: Credentials:
[email protected]
server=krbtgt/[email protected]
authTime=20160111063609Z
startTime=20160111063609Z
endTime=20160111163609Z
renewTill=null
flags=INITIAL;PRE-AUTHENT
EType (skey)=17
(tkt key)=18
Search Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)
Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Mon Jan 11 18:36:09 IST 2016
What could be the issue ? Is this an internet explorer issue ? or maybe tomcat issue ?
Upvotes: 0
Views: 728
Answers (1)
Reputation: 5594
The client and Tomcat server appear to be in different Kerberos realms (I will assume controlled by Active Directory due to the way you tagged your post). That is, the Active Directory domain client is in MY.DOM and but the Tomcat server in NIA.DOM. For this to work as you're expecting, they'll need to be in the same AD domain/Kerberos realm. According to the log snippet, the client and KDC show in the same realm - MY.DOM - according to this:
>>> Obtained TGT from LSA: Credentials:
[email protected]
server=krbtgt/[email protected]
But the Tomcat server must not be, because it seems to be asking the client for a referral ticket from a Kerberos realm named NIA.DOM.
Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Mon Jan 11 18:36:09 IST 2016
Examine the AD Trust relationship between MY.DOM and NIA.DOM and make sure it is two-way and not broken.
Upvotes: 1
Related Questions
- "GSSException Defective token detected" - when trying to Authenticate to Tomcat running on Windows using Kerberos
- Is there a way in Java or a command-line util to obtain a Kerberos ticket for a service using the native SSPI API?
- Unable to authenticate using Kerberos Keytab and kinit cache
- SPNEGO Authentication Works from a Custom Java Client, but NOT from a Web Browser
- SPNEGO: Subsequent Calls after a Successful Negotiation and Authentication
- WCF self-hosted web service using Kerberos authentication
- Kerberos/SPNEGO server side auth change in Java8
- Why does IE not send the Kerberos ticket information to my JBoss on Linux?
- Hue Beeswax / HCat no longer working (kerberos default user) after migration to HDP2.2
- Internet explorer sending kerberos tickets with every request, even when persist-auth is enabled