I have a Tomcat webapp that supports Kerberos authentication. It works fine and I can log in to that app if I use a built-in account like LOCAL SYSTEM or NETWORK SERVICE, but I'm having problems with setting up a non-default domain account for Tomcat service.
I have registered necessary SPNs:
C:\Users\Administrator>setspn -l tomcatuser1
Registered ServicePrincipalNames for CN=tomcatuser1,CN=Users,DC=blah,DC=com:
HTTP/Unicorn.blah.com
HTTP/Unicorn
After that I was able to log in from other machines in the domain, but not from the machine where the Tomcat service is running. I don't have any issues if I use IP addresses though. I also checked that I'm not running into loopback issue but it doesn't seem to affect anything.
As a result, when I'm requesting a web page using a host name I get 401 response. From the logs I see that negotiation is happening in multiple steps and the last step is server saying that the authorization token I supplied is invalid. The actual error message is "The handle specified is invalid" corresponding SEC_E_INVALID_HANDLE windows error.
Could it be related to Kerberos setup or is it a network issue?