SSO authentication, response is always NTLM

StackOverflow https://stackoverflow.com/questions/13936243

  •  10-12-2021
  •  | 
  •  

Question

I'm trying to implement SSO on an intranet application we are developing. I am using SPNEGO for this. Now I'm having some trouble configuring the SSO and hope someone here is able to help me.

The setup is like this:

  1. Linux server with tomcat to serve the intranet application
  2. Windows Server 2008 as domain controller (Active Directory)
  3. Windows 7 client with IE9 and Firefox

When I open the intranet application I see a GET request going from the client to the tomcat server. The first response of the tomcat server and the SpnegoFilter is a 401 unauthorized which is right, cause the client needs to be authenticated.

806 6.117724    192.168.65.50   192.168.65.50   HTTP    284 HTTP/1.1 401 Unauthorized 
WWW-Authenticate: Negotiate\r\n

The response of the client then is a GET request with a flag NTLMSSP_NEGOTIATE. Here it breaks. I don't expect a NTLM response, but a kerberos/spnego response. Somehow I just can't figure out how to send the correct response to the tomcat server.

808 6.123277    192.168.65.50   192.168.65.50   HTTP    637 GET / HTTP/1.1 , NTLMSSP_NEGOTIATE

By default NTLM isn't supported by SPNEGO so I get the following entry in my log:

java.lang.UnsupportedOperationException: NTLM specified. Downgraded to Basic Auth (and/or SSL) but downgrade not supported.

So I'm doing something wrong, but aftert a day fiddling with configurations and policies I just can't figure out what it is.

Hoping for some response.

Was it helpful?

Solution

Kerberos does not work on IPs, use fully qualified domain names.

OTHER TIPS

Have you registered the SPN and is the client domain joined? The WWW-Authenticate: Negotiate will tell the web browser to try kerberos. The browser hands of that request to the OS (SSPI) based on URL in the address bar. There must be a SPN in AD for the URL. As others noted above, using an IP in your URL is more complicated, but can be done. If your client is not domain joined, there is extra config work to get it to contact your AD KDC. Firefox takes extra setup as well. Solve ths with IE, to eliminate that and them come back to FF when the issue is resolved.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top