Hi, After adding log4j I can see some more debug info.
http://forum.springsource.org/showthread.php?130775-spring-security-spnego-kerberos-sso&p=427092&posted=1#post427092 I do not think browser is sending kerberos service ticket on behalf of principal to tomcat. Regards, Miten. ________________________________ From: Benjamin Kaduk <ka...@mit.edu> To: miten mehta <imi...@yahoo.com> Cc: "kerberos@mit.edu" <kerberos@MIT.EDU> Sent: Wednesday, October 10, 2012 2:51 AM Subject: Re: kerberos / spnego On Mon, 8 Oct 2012, miten mehta wrote: > Hi Booker, > > I am using Internet Explorer 9 and assume it should be configured already for > spnego. The webapp as such has to do some auth prompting so I guess it > starts out dong jaas based basic auth. I am just following pretty much the > article at spring security and their samples. I've had a much easier time getting firefox to do SPNEGO than IE9. If you are using an external kerberos (MIT or heimdal) you will need to tell firefox to disable sspi (in about:config). Both IE and firefox need to be told which sites they are permitted to use negotiate auth against, though -- firefox has a negotiate.trusted-uris entry in about:config, and IIRC IE needs hostnames configured to be in the local intranet zone. In my own testing, I was only ever able to get IE9 to do SPNEGO if I explicitly inserted the correct service ticket into the MSLSA cache manually, or if the machine was joined to an AD domain. -Ben Kaduk ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos