WWW-Authenticate not working with Kerberos (only NTLM)
I'm having a problem to setup SSO for the intranet websites. Currently i'm working with Tomcat 8.0 and Waffle 1.8.4. They work great, but there is only 1 problem: the browsers (Firefox and IE after the settings were applied as described here and here) can not do Kerberos authentication, only NTLM.
I analyzed the traffic with Wireshark, Tomcat sends the http header field "WWW-Authenticate" and the browser answers a base64-encoded string in the header field "Authentication", that contains NTLMSSP. I guess this is not Kerberos, or is it ?
I read a post (WWW-Authenticate uses NTLM and not Kerberos), that for Kerberos to work, the server has to be registered in the AD with the command setspn.exe.
I try to get the right syntax for setspn (described here), but without any luck.
The server has the following parameters:
IP: 10.0.0.1
Service: Tomcat-Http
Port: 8080
Accountname: company-netfoobar
I use this command for setspn:
setspn -A "HTTP/10.0.0.1:8080 company-netfoobar"
but not works. Both the server and the client are in the same Windows domain, using Windows 10.
What is wrong with it?
Do i need anything else ?
single-sign-on kerberos ntlm
edited Nov 13 '18 at 16:52
Kostadin Slavov
762219
asked Nov 13 '18 at 15:14
awgold90awgold90
316
add a comment |
I'm having a problem to setup SSO for the intranet websites. Currently i'm working with Tomcat 8.0 and Waffle 1.8.4. They work great, but there is only 1 problem: the browsers (Firefox and IE after the settings were applied as described here and here) can not do Kerberos authentication, only NTLM.
I analyzed the traffic with Wireshark, Tomcat sends the http header field "WWW-Authenticate" and the browser answers a base64-encoded string in the header field "Authentication", that contains NTLMSSP. I guess this is not Kerberos, or is it ?
I read a post (WWW-Authenticate uses NTLM and not Kerberos), that for Kerberos to work, the server has to be registered in the AD with the command setspn.exe.
I try to get the right syntax for setspn (described here), but without any luck.
The server has the following parameters:
IP: 10.0.0.1
Service: Tomcat-Http
Port: 8080
Accountname: company-netfoobar
I use this command for setspn:
setspn -A "HTTP/10.0.0.1:8080 company-netfoobar"
but not works. Both the server and the client are in the same Windows domain, using Windows 10.
What is wrong with it?
Do i need anything else ?
single-sign-on kerberos ntlm
edited Nov 13 '18 at 16:52
Kostadin Slavov
762219
asked Nov 13 '18 at 15:14
awgold90awgold90
316
add a comment |
I'm having a problem to setup SSO for the intranet websites. Currently i'm working with Tomcat 8.0 and Waffle 1.8.4. They work great, but there is only 1 problem: the browsers (Firefox and IE after the settings were applied as described here and here) can not do Kerberos authentication, only NTLM.
I analyzed the traffic with Wireshark, Tomcat sends the http header field "WWW-Authenticate" and the browser answers a base64-encoded string in the header field "Authentication", that contains NTLMSSP. I guess this is not Kerberos, or is it ?
I read a post (WWW-Authenticate uses NTLM and not Kerberos), that for Kerberos to work, the server has to be registered in the AD with the command setspn.exe.
I try to get the right syntax for setspn (described here), but without any luck.
The server has the following parameters:
IP: 10.0.0.1
Service: Tomcat-Http
Port: 8080
Accountname: company-netfoobar
I use this command for setspn:
setspn -A "HTTP/10.0.0.1:8080 company-netfoobar"
but not works. Both the server and the client are in the same Windows domain, using Windows 10.
What is wrong with it?
Do i need anything else ?
single-sign-on kerberos ntlm
edited Nov 13 '18 at 16:52
Kostadin Slavov
762219
asked Nov 13 '18 at 15:14
awgold90awgold90
316
I'm having a problem to setup SSO for the intranet websites. Currently i'm working with Tomcat 8.0 and Waffle 1.8.4. They work great, but there is only 1 problem: the browsers (Firefox and IE after the settings were applied as described here and here) can not do Kerberos authentication, only NTLM.
I analyzed the traffic with Wireshark, Tomcat sends the http header field "WWW-Authenticate" and the browser answers a base64-encoded string in the header field "Authentication", that contains NTLMSSP. I guess this is not Kerberos, or is it ?
I read a post (WWW-Authenticate uses NTLM and not Kerberos), that for Kerberos to work, the server has to be registered in the AD with the command setspn.exe.
I try to get the right syntax for setspn (described here), but without any luck.
The server has the following parameters:
IP: 10.0.0.1
Service: Tomcat-Http
Port: 8080
Accountname: company-netfoobar
I use this command for setspn:
setspn -A "HTTP/10.0.0.1:8080 company-netfoobar"
but not works. Both the server and the client are in the same Windows domain, using Windows 10.
What is wrong with it?
Do i need anything else ?
single-sign-on kerberos ntlm
single-sign-on kerberos ntlm
edited Nov 13 '18 at 16:52
Kostadin Slavov
762219
asked Nov 13 '18 at 15:14
awgold90awgold90
316
edited Nov 13 '18 at 16:52
Kostadin Slavov
762219
asked Nov 13 '18 at 15:14
awgold90awgold90
316
edited Nov 13 '18 at 16:52
Kostadin Slavov
762219
edited Nov 13 '18 at 16:52
Kostadin Slavov
762219
edited Nov 13 '18 at 16:52
Kostadin Slavov
762219
762219
asked Nov 13 '18 at 15:14
awgold90awgold90
316
asked Nov 13 '18 at 15:14
awgold90awgold90
316
asked Nov 13 '18 at 15:14
awgold90awgold90
316
316
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Kerberos relies on DNS (valid hostnames) and SPNs to function. Looks like you've done a bit of research so far which is good. What isn't that well known is that when you point an otherwise perfectly working fine Kerberos client to the IP of a host, rather than to it's DNS hostname, Kerberos will be bypassed and the fallback authentication mechanism will be employed instead - NTLM in this case.
Michael-O, the top Kerberos contributor to this forum, said it best with his answer about this back in 2012:
Kerberos does not work with IP adresses, it relies on domain names and
correct DNS entries only.
answered Nov 13 '18 at 16:25
T-HeronT-Heron
4,03571737
1
Exactly this. IP addresses aren't supported. EXCEPT they are now, in Win 10 1507+ docs.microsoft.com/en-us/windows-server/security/kerberos/…
– Steve
Nov 14 '18 at 19:51
1
Thank you for the help. Figuring out, that IP address isn't allowed, would have cost me a lot of time. I'm just reading about, that Windows 10 disabled the registry key allowtgtsessionkey (1, 2), so we have to use the Windows SSPI API (Waffle, Nsspi use C# to access to the security context) and can forget a pure Java solution, like JGSS, JAAS, or SPNEGO. Did you noticed this?
– awgold90
Nov 16 '18 at 10:03
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53284043%2fwww-authenticate-not-working-with-kerberos-only-ntlm%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Kerberos relies on DNS (valid hostnames) and SPNs to function. Looks like you've done a bit of research so far which is good. What isn't that well known is that when you point an otherwise perfectly working fine Kerberos client to the IP of a host, rather than to it's DNS hostname, Kerberos will be bypassed and the fallback authentication mechanism will be employed instead - NTLM in this case.
Michael-O, the top Kerberos contributor to this forum, said it best with his answer about this back in 2012:
Kerberos does not work with IP adresses, it relies on domain names and
correct DNS entries only.
answered Nov 13 '18 at 16:25
T-HeronT-Heron
4,03571737
1
Exactly this. IP addresses aren't supported. EXCEPT they are now, in Win 10 1507+ docs.microsoft.com/en-us/windows-server/security/kerberos/…
– Steve
Nov 14 '18 at 19:51
1
Thank you for the help. Figuring out, that IP address isn't allowed, would have cost me a lot of time. I'm just reading about, that Windows 10 disabled the registry key allowtgtsessionkey (1, 2), so we have to use the Windows SSPI API (Waffle, Nsspi use C# to access to the security context) and can forget a pure Java solution, like JGSS, JAAS, or SPNEGO. Did you noticed this?
– awgold90
Nov 16 '18 at 10:03
add a comment |
Kerberos relies on DNS (valid hostnames) and SPNs to function. Looks like you've done a bit of research so far which is good. What isn't that well known is that when you point an otherwise perfectly working fine Kerberos client to the IP of a host, rather than to it's DNS hostname, Kerberos will be bypassed and the fallback authentication mechanism will be employed instead - NTLM in this case.
Michael-O, the top Kerberos contributor to this forum, said it best with his answer about this back in 2012:
Kerberos does not work with IP adresses, it relies on domain names and
correct DNS entries only.
answered Nov 13 '18 at 16:25
T-HeronT-Heron
4,03571737
1
Exactly this. IP addresses aren't supported. EXCEPT they are now, in Win 10 1507+ docs.microsoft.com/en-us/windows-server/security/kerberos/…
– Steve
Nov 14 '18 at 19:51
1
Thank you for the help. Figuring out, that IP address isn't allowed, would have cost me a lot of time. I'm just reading about, that Windows 10 disabled the registry key allowtgtsessionkey (1, 2), so we have to use the Windows SSPI API (Waffle, Nsspi use C# to access to the security context) and can forget a pure Java solution, like JGSS, JAAS, or SPNEGO. Did you noticed this?
– awgold90
Nov 16 '18 at 10:03
add a comment |
Kerberos relies on DNS (valid hostnames) and SPNs to function. Looks like you've done a bit of research so far which is good. What isn't that well known is that when you point an otherwise perfectly working fine Kerberos client to the IP of a host, rather than to it's DNS hostname, Kerberos will be bypassed and the fallback authentication mechanism will be employed instead - NTLM in this case.
Michael-O, the top Kerberos contributor to this forum, said it best with his answer about this back in 2012:
Kerberos does not work with IP adresses, it relies on domain names and
correct DNS entries only.
answered Nov 13 '18 at 16:25
T-HeronT-Heron
4,03571737
Kerberos relies on DNS (valid hostnames) and SPNs to function. Looks like you've done a bit of research so far which is good. What isn't that well known is that when you point an otherwise perfectly working fine Kerberos client to the IP of a host, rather than to it's DNS hostname, Kerberos will be bypassed and the fallback authentication mechanism will be employed instead - NTLM in this case.
Michael-O, the top Kerberos contributor to this forum, said it best with his answer about this back in 2012:
Kerberos does not work with IP adresses, it relies on domain names and
correct DNS entries only.
answered Nov 13 '18 at 16:25
T-HeronT-Heron
4,03571737
answered Nov 13 '18 at 16:25
T-HeronT-Heron
4,03571737
answered Nov 13 '18 at 16:25
T-HeronT-Heron
4,03571737
answered Nov 13 '18 at 16:25
T-HeronT-Heron
4,03571737
4,03571737
1
Exactly this. IP addresses aren't supported. EXCEPT they are now, in Win 10 1507+ docs.microsoft.com/en-us/windows-server/security/kerberos/…
– Steve
Nov 14 '18 at 19:51
1
Thank you for the help. Figuring out, that IP address isn't allowed, would have cost me a lot of time. I'm just reading about, that Windows 10 disabled the registry key allowtgtsessionkey (1, 2), so we have to use the Windows SSPI API (Waffle, Nsspi use C# to access to the security context) and can forget a pure Java solution, like JGSS, JAAS, or SPNEGO. Did you noticed this?
– awgold90
Nov 16 '18 at 10:03
add a comment |
1
Exactly this. IP addresses aren't supported. EXCEPT they are now, in Win 10 1507+ docs.microsoft.com/en-us/windows-server/security/kerberos/…
– Steve
Nov 14 '18 at 19:51
1
Thank you for the help. Figuring out, that IP address isn't allowed, would have cost me a lot of time. I'm just reading about, that Windows 10 disabled the registry key allowtgtsessionkey (1, 2), so we have to use the Windows SSPI API (Waffle, Nsspi use C# to access to the security context) and can forget a pure Java solution, like JGSS, JAAS, or SPNEGO. Did you noticed this?
– awgold90
Nov 16 '18 at 10:03
1
1
Exactly this. IP addresses aren't supported. EXCEPT they are now, in Win 10 1507+ docs.microsoft.com/en-us/windows-server/security/kerberos/…
– Steve
Nov 14 '18 at 19:51
Exactly this. IP addresses aren't supported. EXCEPT they are now, in Win 10 1507+ docs.microsoft.com/en-us/windows-server/security/kerberos/…
– Steve
Nov 14 '18 at 19:51
1
1
Thank you for the help. Figuring out, that IP address isn't allowed, would have cost me a lot of time. I'm just reading about, that Windows 10 disabled the registry key allowtgtsessionkey (1, 2), so we have to use the Windows SSPI API (Waffle, Nsspi use C# to access to the security context) and can forget a pure Java solution, like JGSS, JAAS, or SPNEGO. Did you noticed this?
– awgold90
Nov 16 '18 at 10:03
Thank you for the help. Figuring out, that IP address isn't allowed, would have cost me a lot of time. I'm just reading about, that Windows 10 disabled the registry key allowtgtsessionkey (1, 2), so we have to use the Windows SSPI API (Waffle, Nsspi use C# to access to the security context) and can forget a pure Java solution, like JGSS, JAAS, or SPNEGO. Did you noticed this?
– awgold90
Nov 16 '18 at 10:03
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53284043%2fwww-authenticate-not-working-with-kerberos-only-ntlm%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
