pderaaij pderaaij - 13 days ago 6
Java Question

SSO authentication, response is always NTLM

I'm trying to implement SSO on an intranet application we are developing. I am using SPNEGO for this. Now I'm having some trouble configuring the SSO and hope someone here is able to help me.

The setup is like this:


  1. Linux server with tomcat to serve the intranet application

  2. Windows Server 2008 as domain controller (Active Directory)

  3. Windows 7 client with IE9 and Firefox



When I open the intranet application I see a GET request going from the client to the tomcat server. The first response of the tomcat server and the SpnegoFilter is a 401 unauthorized which is right, cause the client needs to be authenticated.

806 6.117724 192.168.65.50 192.168.65.50 HTTP 284 HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate\r\n


The response of the client then is a GET request with a flag NTLMSSP_NEGOTIATE. Here it breaks. I don't expect a NTLM response, but a kerberos/spnego response. Somehow I just can't figure out how to send the correct response to the tomcat server.

808 6.123277 192.168.65.50 192.168.65.50 HTTP 637 GET / HTTP/1.1 , NTLMSSP_NEGOTIATE


By default NTLM isn't supported by SPNEGO so I get the following entry in my log:


java.lang.UnsupportedOperationException: NTLM specified. Downgraded to Basic Auth (and/or SSL) but downgrade not supported.


So I'm doing something wrong, but aftert a day fiddling with configurations and policies I just can't figure out what it is.

Hoping for some response.

Answer

Kerberos does not work on IP, use fully qualified domain names.

Comments