Using negoserver with Kerb authentication

Apr 25, 2014 at 12:42 PM

I am trying to add Kerb authentication into an old Tomcat 5.5 environment!

I am using negoserver, running as "local system" account. I have amended Negoserver.exe.config to uncomment the "onlykerberos" option.

Eventually, I would like to get this working with the server's DNS alias, but for now I am using the server's name.

The problem is, when accessing http://myserver/authbysspitcp/ I get a 401 (This request requires HTTP authentication ()) message

I have used the Microsoft utility "Klist" to purge kerb tickets before accessing the URL, and list them afterwards, and there does seem to be a ticket getting created correctly, called something like HTTP/

The negoserver log is recording entries like these:
Server Verbose: 4986 : To a new request with a new connection TCP
Server Verbose: 4986 : Before TranslationOrAuthenticate
State Verbose: 4986 : Buf len : 1
State Verbose: 4986 : Buf remaining 1
Server Verbose: 4986 : In TranslationOrAuthenticate
Server Verbose: 4986 : Buffer.length 1
Server Verbose: 4986 : ConnectionType.AuthenticationAndInformIfAuthenticatedUser
State Verbose: 4986 : A security requirement was not fulfilled during authentication. Required: None, negotiated: EncryptAndSign.    at System.Net.Security.NegoState.EndProcessAuthentication(IAsyncResult result)
   at System.Net.Security.NegotiateStream.EndAuthenticateAsServer(IAsyncResult asyncResult)
   at httpToNegotiateStream.State.AuthenticateAsServerContinue(IAsyncResult ar) in c:\Users\dominique\Documents\doc\Visual Studio 2012\Projects\Negoserver\Negoserver\NegoServer.cs:line 1866
Is this clear? I am sure I have forgotten to do something pretty basic..... Hope you can help
May 5, 2014 at 11:11 AM
You use tomcat 5.5.
Is tomcat running on Windows? Is tomcat running on the same computer?

Try first without the parameter onlykerberos. I thinkk that NTLM is used by the browser.

If tomcat is running on Unix and you want to use Kerberos, you must add a Service Principal Name to the account used by negoserver.
Your service Negoserver is running as SYSTEM. In this case, you must add a service Principal name to the account of the computer where Negoserver is running.

For instance, if the name of the computer where Negoserver is running is NegoComputer, add the spn http/myservertomcatdnsname to the account NegoComputer on Active Directory.

May 7, 2014 at 11:57 AM
Thanks Dominique - it appears to be working now, I think I broke the web.xml somehow. Finger's crossed
Jul 28, 2015 at 1:30 PM

do you know what fixed this problem?
I'm facing the same ;-)
Jul 28, 2015 at 4:36 PM
Sorry, I don't recall this issue at all. I ended up using