SPNEGO with Java prompting password many times

Question

I'm using spnego http://spnego.sourceforge.net to make a single sign on on my system, the problem is that also typing the right password it will be prompt again and again.

Sometimes if you type it twice you can join the system, sometimes you need to type more than 10 times the same user and password until get access to the system.

After you are logged in to the system, the password can be prompted many times on random time, again and again and again.

Thanks in advance

Answer 1

I've not tried that specific spnego module yet, but I've encountered this issue before.

The issue with SPNEGO and two login prompts is often related to:

1. The application's login service is configured to allow both negotiate and basic:

   WWW-Authenticate: Negotiate
   WWW-Authenticate: basic
   

2. If Windows Native Authentication is enabled in Internet Explorer, but the Windows client fails to retrieve a Kerberos ticket for the service (for some reason), IE will

   • Prompt for login, but no matter what you write here it will send an NTMLSSP token using Authorization: Negotiate

   • Authentication using the NTMLSSP token will fail and you'll get a secondary login prompt, which will be submitted using Basic Authorization: Basic

Not sure why authenticating more than two times sometimes will let you in, though..

To investigate the problem further:

• Check server log files (set java option -Dsun.security.krb5.debug=true and web.xml spnego.logger.level=1) for clues.
• Check that the Windows client is logged on to domain.
• Check that Windows Native Authentication is enabled in Internet Explorer.
• Check that the website is added to local intranet sites in Internet Explorer (or available without using dot "." in the web site name).
• Check that keytab, krb5.conf and login.conf is configured for your app server. (See spnego docs pre_flight and reference_docs)
• Check that the principal name used in the keytab is the DNS A record and not a DNS CNAME record for your service.
• An excellent tool for debugging web traffic is Fiddler2. Install and see what Internet Explorer responds to the authentication challenges (HTTP 401).
• If Internet Explorer indeeds submits an NTMLSSP token, you might also want to use Wireshark and filter "Kerberos" traffic to see if your domain controller responds with a TGS-REP containing a Kerberos ticket for accessing your service.

If you're still out of luck, we'll might be able to help you further if you can make available all or some of

• spnego configuration
• Server logs (if anything relevant)
• Fiddler2 trace
• Wireshark trace

Øyvind

Answer 2

I found the problem.

The credentials was valid but it was from another domain ( I changed the domain but did not update the keytab file)

After fix the keytab the system never asked for a password anymore.

Thanks all !