Attempting to authenticate a Windows client (IE / Firefox) through SPNEGO and Kerberos. On the server side is Java / Tomcat with JCIFS for SPNEGO authentication. SSO (Kerberos) auth works fine when hosting the server part on a Win 2008 R2 server. However, when on the 2012 server it fails with GSSException: Defective token detected .
Digging a little deeper with the network trace, I found that in the working case, the IE client sends tokens for negotiations with 4 mesh Types:
- 1.2.840.48018.1.2.2 -
MS KRB5 , - 1.2.840.113554.1.2.2 -
KRB5 , - 1.3.6.1.4.1.311.2.2.30 -
NEGOEX and - 1.3.6.1.4.1.311.2.2.10 -
NTLMSSP
In this case, my server side will complete the selection of SPNEGO MS KRB5 . However, in case of a problem, the IE client only sends a token with 2 swords - NEGOEX and NTLMSSP . And this initiator is preferable. Java does not support NEGOEX, and therefore it fails.
Some searches revealed that this problem is due to errors in the JDK * or is otherwise related to DNS. However, I am on the latest JDK, and DNS seems to be in order. So my question is: when does the browser on Windows switch to NEGOEX in SPNEGO and why? The closest answer I found was on the msdn blog , which says Kerberos is not available since it not in a domain environment . However, the client is indeed in a domain environment, and klist shows a valid Kerberos ticket. If this is really a domain problem, what exactly could be the main reason and how can I avoid the problem?
Footnote, some background research data: JDK8 has seen many corrections in the GSS engine. Errors have occurred in jdk8u40 and jdk8u45. Then further fixes are present in jdku65 . The error report that was supposed to implement NEGOEX was closed with a fix
"a fix for SPNEGO that allows NEGOEX to be submitted and bypassed"
However, I'm not sure if NEGOEX really works. The NEGOEX IETF standard also looks abandoned with an expired RFC project . Therefore, I doubt that it will really be supported by Java, libraries.
source share