I am trying to implement kerberos SSO in our network using spnego on a tomcat server.
We have created an account (TCNKRBGINA) on the domain for the preauthentication, and setspn'ed it to the http server:
Setspn -A HTTPS/testtech.etat-ge.ch TCNKRBGINA
Setspn -A HTTP/testtech.etat-ge.ch TCNKRBGINA
But the client (IE or Firefox) sends an NTLM token instead of a kerberos ticket.
The problem doesn't seem to be on the server side because, when no Authorization header is sent, it correctly returns a 401 status code with a WWW-Authenticate: Negotiate
header. The next request sent by the client contains the NTLM token, before the server had a chance to contact the domain controller.