NTLM2 works great, but kerberos keep failing on an error

Jul 28, 2015 at 11:54 AM
Edited Jul 28, 2015 at 11:55 AM
NTLM is working fine, but when I want to change to authentication to Kerberos I keep getting the error "A security requirement was not fulfilled during authentication. Required: Sign, negotiated: EncryptAndSign."

SPNs are ok, is there a way to debug this issue further?

Server Verbose: 50390 : Before TranslationOrAuthenticate
State Verbose: 50390 : Before BeginRead
State Verbose: 50390 : WaitTheNextRequest launched
Server Verbose: 50390 : In TryToReuseAConnection
Server Verbose: 50390 : Buffer.length1
Server Verbose: 50390 : ConnectionType.Test
State Verbose: 50390 : Buf len : 1
State Verbose: 50390 : Buf remaining 1
Server Verbose: 50390 : In TranslationOrAuthenticate
Server Verbose: 50390 : Buffer.length
Server Verbose: 50390 : ConnectionType.AuthenticationAndInformIfAuthenticatedUser
State Verbose: 50390 : A security requirement was not fulfilled during authentication. Required: Sign, negotiated: EncryptAndSign. at System.Net.Security.NegoState.EndProcessAuthentication(IAsyncResult result)
at httpToNegotiateStream.State.AuthenticateAsServerContinue(IAsyncResult ar) in c:\Users\dominique\Documents\doc\Visual Studio 2012\Projects\Negoserver\Negoserver\NegoServer.cs:line 1867
State Verbose: 50390 : Authstream closed
State Verbose: 50390 : Connection closed
Server Verbose: 0 : A blocking operation was interrupted by a call to WSACancelBlockingCall 10004Interrupted
Server Verbose: 0 : CLR version: 4.0.30319.34014
Server Verbose: 0 : If is running as an x64 exe, size of the pointers = 8, else 4. The Size of the pointers: 8
Server Verbose: 0 : Current Directory: C:\cms-java\negoserver
Server Verbose: 0 : WorkerThreads: 8, completionPortThreads: 8
Server Verbose: 50393 : To a new request with a new connection TCP
Server Verbose: 50393 : Before TranslationOrAuthenticate
Coordinator
Sep 14, 2015 at 7:12 PM
With Negotiate or SPNEGO, the browser choose the authentication method: NTLMv2 or Kerberos.
To use Kerberos:
1)The browser, Tomcat and Negoserver are not on the same computer
2)The url does not use IP address
3)The DNS name of the server tomcat must be used in the Service Principal Name of the account used by NegoServer.
If the DNS Name is myservice.mydomain.net, the SPN must be http/myservice.mydomain.net

So, if tomcat is running on Unix, you must add this SPN to the account used by Negoserver. By défaut, Negoserver use SYSTEM. IT is better trop use Network service.
In these two cases, the account used on the network is the server account. If Negoserver is on the computer MYSERVER, you must add a Service rincipal Name to the account MYDOMAIN\MYSERVER.

The paramètre onlykerberos is only used to refuse NTLMv2 or NTLM

Dominique
Oct 11, 2015 at 11:01 AM
Dominique,

thank you for the help.
This fixed our problem.

Peter