0

I have a Tomcat webapp that supports Kerberos authentication. It works fine and I can log in to that app if I use a built-in account like LOCAL SYSTEM or NETWORK SERVICE, but I'm having problems with setting up a non-default domain account for Tomcat service.

I have registered necessary SPNs:

C:\Users\Administrator>setspn -l tomcatuser1
Registered ServicePrincipalNames for CN=tomcatuser1,CN=Users,DC=blah,DC=com:
        HTTP/Unicorn.blah.com
        HTTP/Unicorn

After that I was able to log in from other machines in the domain, but not from the machine where the Tomcat service is running. I don't have any issues if I use IP addresses though. I also checked that I'm not running into loopback issue but it doesn't seem to affect anything.

As a result, when I'm requesting a web page using a host name I get 401 response. From the logs I see that negotiation is happening in multiple steps and the last step is server saying that the authorization token I supplied is invalid. The actual error message is "The handle specified is invalid" corresponding SEC_E_INVALID_HANDLE windows error.

Could it be related to Kerberos setup or is it a network issue?

username
  • 229
  • 1
  • 3
  • 17

1 Answers1

1

Could it be related to Kerberos setup or is it a network issue?

Kerberos setup is closely linked with network configuration, so it's not easy to blame the culprit and pardon the other.

When it's really not a loopback issue, it could still be an IPv4 vs. IPv6 issue:

If all clients use DNS to reverse-resolve (o A resp AAAA records), but the server has different hostname entries for its IPv4 and IPv6 adresses in a local "hosts" file for itself and/or for the respective KDCs that can cause negotiation failures because the principals mismatch.

So my advice is to compare reverse name resolution of the server and one client.

decltype_auto
  • 129
  • 7