It is the browser that is sending the token. Have you tried spnego with Firefox?
There are three things that are different in your setup: 1) You are running on Solaris, I am on RedHat Enterprise Linux v5 2) Your encryption is DES, I am RC4-HMAC…have you checked the AD logs to see if any errors are being generated? 3) I am not using a keytab file. Every time I ran into these types of issues, it was the AD user. Once you have that communication path working don’t touch it unless you absolutely have to. The AD portion seems to be the most unstable when it comes to changing users/SPN combinations. · What version of AD are you running? · Also, you only have one SPN associated with this user, correct. I noticed that if you add SPNs to the user, only the primary SPN is used. By primary, I mean the SPN that shows up in the AD admin console as the users login i.e. HTTP/<your host here> From: William Markmann [via Jasig] [mailto:ml-node+1677730-1411667780-16...@n4.nabble.com] Sent: Monday, March 22, 2010 7:49 AM To: Dean Heisey Subject: Re: Problem with SPNEGO (Getting NTLM token instead of Kerberos) Dean, Thanks for the guidance. I talked to the AD admins and they did generate the keytab from domain controller (the same machine that is listed as the KDC in my kerberos config). So, still no luck there. Also, if delegation weren't working properly, I wouldn't even be able to authenticate using 'kinit', right? In my (possibly flawed) mental model of how this all works, once I have 'kinit' working, everything is good from the Kerberos / AD side of the equation, and we just need to focus on getting the app server -> browser communication working properly. Am I thinking about this wrong? What factors actually affect whether the SPNEGO login action gets NTLM vs Kerberos data? I've read through the source of SpnegoCredentialsAction, and it looks like it gets one or the other -- what's actually determining which is sent? Thanks, - Bill On Fri, Mar 19, 2010 at 7:53 PM, Dean Heisey <[hidden email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1677730&i=0>> wrote: I ran into something like this where the kerberos was not working with my AD, When you regenerated your keytab for the new AD user/spn did you run the ktpass on your Active Directory DOmain server? That gives you access to the Delegation tab on the AD user and computer administrator tab. Go check the CAS User manual SPNEGO section. I updated it recently to include my experiences. Dean -- View this message in context: http://n4.nabble.com/Problem-with-SPNEGO-Getting-NTLM-token-instead-of-Kerberos-tp1598650p1629470.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [hidden email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1677730&i=1> as: [hidden email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1677730&i=2> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- Bill Markmann Counterpoint Consulting, Inc. (p) 571-338-2455 (f) 202-403-3425 (e) [hidden email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1677730&i=3> (w) http://www.counterpointconsulting.com/ -- You are currently subscribed to [hidden email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1677730&i=4> as: [hidden email]<http://n4.nabble.com/user/SendEmail.jtp?type=node&node=1677730&i=5> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user ________________________________ View message @ http://n4.nabble.com/Problem-with-SPNEGO-Getting-NTLM-token-instead-of-Kerberos-tp1598650p1677730.html To unsubscribe from Re: Problem with SPNEGO (Getting NTLM token instead of Kerberos), click here< (link removed) >. -- View this message in context: http://n4.nabble.com/Problem-with-SPNEGO-Getting-NTLM-token-instead-of-Kerberos-tp1598650p1677769.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user