2

I am trying to implement kerberos SSO in our network using spnego on a tomcat server.

We have created an account (TCNKRBGINA) on the domain for the preauthentication, and setspn'ed it to the http server:

Setspn -A HTTPS/testtech.etat-ge.ch TCNKRBGINA
Setspn -A HTTP/testtech.etat-ge.ch TCNKRBGINA

But the client (IE or Firefox) sends an NTLM token instead of a kerberos ticket.

The problem doesn't seem to be on the server side because, when no Authorization header is sent, it correctly returns a 401 status code with a WWW-Authenticate: Negotiate header. The next request sent by the client contains the NTLM token, before the server had a chance to contact the domain controller.

Sven
  • 97,248
  • 13
  • 177
  • 225
Maurice Perry
  • 315
  • 2
  • 13

1 Answers1

5

Got it, thanks to wireshark. The server name testtech.etat-ge.ch was defined in the DNS as an alias for bleutest.ceti.etat-ge.ch. It seems that the name used by kerberos is obtained by a reverse-lookup.

Maurice Perry
  • 315
  • 2
  • 13