SPNEGO Kerberos Single Sign On does not work in AD domain for tomcat server

Question

I followed all the steps mentioned in the http://spnego.sourceforge.net/spnego_tomcat.html (SPNEGO sample test code HelloKDC.java is working as expected) but Single Sign On is not working.

Our domain name is ITLAB (Active directory domain) , it has two machines "Win8Serv" and "Win8Client".

Tomcat7 is running on "Win8Serv" machine with "KerbServUser@ITLAB" credentials. Now I logged into into "Win8Client" with "KerbServUser@ITLAB" credentials. I entered "http://Win8Serv.itlab.com:8181/hello_spnego.jsp" in IE browser (SSO options enabled for IE, Enabled Integrated Windows Authentication), it prompts Login Window (it should not ask credentials).

Debugged SPNEGO code, it is using basic auth

in SpnegoAuthenticator.java

final SpnegoAuthScheme scheme = SpnegoProvider.negotiate(req, resp, basicSupported, this.promptIfNtlm, serverRealm);

if (scheme.isNegotiateScheme()) {
    principal = doSpnegoAuth(scheme, resp);

// BASIC scheme
} else if (scheme.isBasicScheme()) { // it is entering Basic Scheme
   principal = doBasicAuth(scheme, resp);
}

Do you have suggestions to fix this problem ?

Please let me know if you need any additional information.

Answer 1

You need to have the SPN HTTP/win8serv.itlab.com registered on the AD user account kerbservuser@itlab.com. Client machines need to locate the FQDN in DNS, which will be your Tomcat server, and next locate the HTTP service point in the KDC (runs on your AD domain controller) to get a Kerberos service ticket for the HTTP service being run by Tomcat. When the FQDN in the SPN matches the FQDN in DNS, your client machine knows right where it needs to go, which was was Kerthikeyan was driving at.

Your web browser must have the site http://win8serv.itlab.com listed in it's "Local Intranet" zone, as Windows will transmit credential information (in this case, the Kerberos service ticket) to web servers which ask for it (which Tomcat needs to do) for authentication.