[30868] in Kerberos
Re: JBoss Negotiate
daemon@ATHENA.MIT.EDU (Thomas Maslen)
Sat Mar 14 22:21:33 2009
From: Thomas Maslen <Thomas.Maslen@quest.com>
To: "kerberos@mit.edu" <kerberos@mit.edu>
Date: Sat, 14 Mar 2009 19:20:36 -0700
Message-ID: <723530449330F342A68634ADF3CE8DE2033D50DA9B@alvxmbw02.prod.quest.corp>
Content-Language: en-US
MIME-Version: 1.0
Cc: "Krishnawat, Nagendra" <nagendra.krishnawat@westernasset.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Let me guess... you're probably running JBoss on a Windows machine that is joined to the Active Directory domain?
If so, then the problem is: you have got your SPN mappings wrong. (i.e. the hostname in the URL that you are using in the browser doesn't match any SPN mapping that you have set up).
So, when the browser asks AD for a Kerberos service ticket to HTTP/foo.example.com, AD doesn't find an explicit SPN mapping on your service object, so it doesn't use your service object. If AD doesn't find an explicit SPN mapping for HTTP/foo.example.com, it implicitly maps HTTP/foo.example.com to the AD Computer object for foo.example.com (equivalently, HOST/foo.example.com). This works nicely for Microsoft IIS but for other SPNEGO implementations it produces the rather nonobvious error that you are seeing at present.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
