Hi all, I have a redhat 9.2 server hosting a web application on 5 seperate instances of Apache Tomcat. I have configured SPNEGO on instances 1,2,3 and 4. These instances are behind an apache proxy load balancer on version 2.4.57. Instance 1,2, and 3 are load balanced. While 4 and 5 are not. The application is hosted on Tomcat 9.0.54.
Domain: domain.com Site: devexample.domain.com URL hit: https://devexample.domain.com/webclient_devex/exclient.jsp *I keep getting this when accessing the application on instance 5:* HTTP Status 500 – Internal Server Error Type Exception Report Message GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) Description The server encountered an unexpected condition that prevented it from fulfilling the request. Exception javax.servlet.ServletException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:287) Root Cause GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source) sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487) net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327) net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283) Root Cause KrbException: Checksum failed sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source) sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source) sun.security.krb5.EncryptedData.decrypt(Unknown Source) sun.security.krb5.KrbApReq.authenticate(Unknown Source) sun.security.krb5.KrbApReq.<init>(Unknown Source) sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source) sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source) sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487) net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327) net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283) Root Cause java.security.GeneralSecurityException: Checksum failed sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(Unknown Source) sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(Unknown Source) sun.security.krb5.internal.crypto.Aes256.decrypt(Unknown Source) sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source) sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Unknown Source) sun.security.krb5.EncryptedData.decrypt(Unknown Source) sun.security.krb5.KrbApReq.authenticate(Unknown Source) sun.security.krb5.KrbApReq.<init>(Unknown Source) sun.security.jgss.krb5.InitSecContextToken.<init>(Unknown Source) sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source) sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source) net.sourceforge.spnego.SpnegoAuthenticator.doSpnegoAuth(SpnegoAuthenticator.java:487) net.sourceforge.spnego.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:327) net.sourceforge.spnego.SpnegoHttpFilter.doFilter(SpnegoHttpFilter.java:283) In the catalina logs: Entered SpNegoContext.acceptSecContext with state=STATE_NEW SpNegoContext.acceptSecContext: receiving token = a0 82 07 f1 30 82 07 ed a0 30 30 2e 06 09 2a 86 48 82 f7 12 01 02 02 06 09 2a 86 48 86 f7 12 01 02 02 06 0a 2b 06 01 04 01 82 37 02 02 1e 06 0a 2b 06 01 04 01 82 37 02 02 0a a2 82 07 b7 04 82 07 b3 60 82 07 af 06 09 2a 86 48 86 f7 12 01 02 02 01 00 6e 82 07 9e 30 82 07 9a a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 05 a4 61 82 05 a0 30 82 05 9c a0 03 02 01 05 a1 15 1b 13 52 45 41 4c 4c 59 47 4f 4f 44 53 54 55 46 46 2e 43 4f 4d a2 30 30 2e a0 03 02 01 02 a1 27 30 25 1b 04 48 54 54 50 1b 1d 72 67 73 64 65 76 62 6f 78 2e 72 65 61 6c 6c 79 67 6f 6f 64 73 74 75 66 66 2e 63 6f 6d a3 82 05 4a 30 82 05 46 a0 03 02 01 12 a1 03 02 01 06 a2 82 05 38 04 82 05 34 03 22 5c aa 4a 2b f8 2a 56 5b 7b 2b 02 90 d4 25 17 b7 34 83 0c 5a 31 4a b0 87 68 6d 37 c6 24 69 ee 2e cb 65 d9 89 8e bf 0f 35 8c c2 01 7f d0 70 51 a9 19 b1 e6 51 a9 0d a5 c0 6f c1 94 99 52 8f dd 5a 39 ff 77 f0 ee 82 35 2e de b6 a1 f4 76 b5 db d7 96 01 d7 c8 a1 1f d4 55 1e 25 bd 09 aa 10 0b c8 a6 e3 1a b1 d7 62 ff 33 00 ad 3d 65 7b 48 95 03 d5 54 df c3 3e 43 95 ab bb 62 f1 84 85 b2 e6 d0 2a d7 24 63 a9 ed 77 13 1c 90 bc 88 ac f1 e2 26 4f ea ea 6b b2 a8 ab 8c 39 f5 4b d2 97 79 6e d0 79 6e d3 6b 13 50 71 9e 31 de 73 e6 a6 e7 86 7e c1 16 2e 4e ca 3e 73 f4 99 ed de c7 01 48 75 b2 6a e2 a4 1a c9 cd 72 c1 cb 1e d2 c0 39 9d a3 f6 10 77 7f c7 f8 de fc 75 16 49 1f aa 45 e6 2d da 8b 68 30 7f eb ee a1 33 8b 2d 74 3d 33 b8 6c a8 13 fa 54 58 6c 53 8a 57 ce 0d 4c 06 63 35 cd 23 d1 29 43 d7 23 ea 73 d9 89 08 21 25 88 06 22 94 69 34 39 12 45 31 7f 4c b2 69 9f d8 ef 4f 0b 2f 9c 88 11 21 fc 50 62 8f 1b 6e 00 06 a0 0e 1f e2 0f 9b 63 73 63 2a a7 62 d9 5c 7d d9 93 f8 be 34 2c b4 18 a0 60 af b5 96 c4 75 6d 89 46 d1 16 33 66 37 bf 83 30 50 3a fa de 07 97 50 4d a4 3e 2f c4 21 bf 76 69 cd e2 6b a3 30 91 04 a0 6c dd c5 60 eb 1d cc 7d 9e 51 4d 97 02 2a c6 30 1c 4c 4f 17 65 69 10 66 ad 3b b7 1b e5 c4 c0 3d 58 cc 1a f6 70 8d 89 5e 0a 8a da 73 d9 e9 da ea 1a 7c 76 97 9f 27 0e 5b c5 c2 45 0e 0c 87 5b e3 ef 13 26 34 04 84 70 75 85 43 77 68 51 2e a3 20 83 44 5f 39 cf 87 6b 88 4a f1 d5 42 eb d5 45 c2 07 ea e7 77 93 4a 09 0d 0d 81 e3 50 df c2 42 72 e7 92 6c 99 99 10 42 87 86 27 7e 82 23 c6 8c b4 0b 33 88 fd b3 26 a1 89 bc 37 de e5 a7 8c 1b f4 c6 ab 9a d1 e1 ce ee 9e 9e 72 ec 7a 36 4a 93 61 6e 41 40 69 61 aa 6f 49 03 25 23 f6 89 c1 27 63 1f c5 31 75 34 2a 90 a7 45 34 44 64 a7 59 fc c1 7e e3 dc b9 cd 13 54 f9 e8 fe 20 66 13 37 27 fc 91 f6 75 5c 12 c6 ee e8 70 55 2b 21 ac 66 ee 16 e7 df 20 e5 fd 3d 79 5c c7 5c a8 b1 c6 5b 7b 3b cd 2a 53 4c 3c 73 7e 14 5b c2 15 cb 35 33 85 8b 2b c4 a4 62 e6 32 23 14 eb 70 87 20 76 af e2 f8 9a c1 d2 3f dd fd c2 bf ad 15 fd 97 ef 8e b1 ac 8f 91 39 18 94 2b b6 9a a6 be 5e bb a5 c6 25 d4 80 d3 df ff 86 10 58 f3 23 b0 79 f2 33 f3 5d f4 64 cd c2 00 52 54 81 72 5b bb 17 b5 00 50 1b b4 37 13 ce 22 91 5f 72 0c 92 bf f8 24 15 3b 46 70 bd df 9c ce 3d d4 6d 87 53 6d a4 74 15 8b d3 79 7b 7f e8 2e 5d c3 7a 5e 33 93 60 ff 4d e6 e9 a1 d9 46 2e 6b 36 74 d2 4d 2d 01 ff 42 f9 c8 e4 03 27 64 6e 2c 80 2c 2a f7 c0 31 2c f2 7b 5e c0 e5 97 e2 36 3e a0 57 d9 30 74 13 69 7d f9 e6 98 8e f9 86 7b 57 ab c2 d0 67 25 f7 2b 8a 8d b4 6f 4e 1a 11 ee df f3 bc 1f ea e6 c7 0e cd eb 64 3b f6 d8 24 9e 97 4d 77 3a 69 a0 9a 16 b9 40 c5 8f e9 9e 7c 2a 70 c0 f3 25 61 6f 1a 93 21 d3 2c 54 1d 94 1a 19 51 4b 3e 95 75 85 13 b1 f6 20 38 77 78 a4 35 2a 86 0b af f4 c6 08 f9 81 97 37 5b ee 7d ef c7 ed f4 2c b8 72 01 17 f1 dc b7 d1 a7 69 95 e1 11 38 b1 e7 3b 39 2f a8 e0 da 47 82 55 7b b5 ce d2 d4 d1 15 43 a9 05 3a 52 88 9b d9 83 49 03 32 e8 c6 34 02 bc 34 63 53 af 32 e1 29 64 99 ba ec 9b 41 03 5b 7d ea 0a 66 9a f1 7e 0e fd da 3d 51 9f 3b be 52 77 84 71 8c 7c b0 34 1d fc 25 4f 4a 46 ce e4 8b 9a 60 7d 20 20 3c 5c c7 46 fe af 21 2e 3b 23 d8 d3 30 79 14 4b e6 b8 54 90 f9 3e 06 4a 41 50 37 b7 e9 65 d7 e1 11 d3 7f 84 86 c7 bf ff 4f 3c 5b d4 dd 28 03 d3 c1 bb a9 6d 7f 64 c4 5a 5c e8 ce 9a fc 62 eb d0 6e bf 54 6d 89 f8 5f ab 9b 7d 3b 00 d2 db b8 01 ba 6f 30 b7 01 b1 d5 7a d2 54 8f 49 c0 58 68 c1 f6 ce c4 f2 79 c7 51 d1 ca 77 f0 6b 83 63 53 2a 85 e6 55 74 5b 15 4b 8d 0d ce 1f f9 d5 9f 28 0e a6 90 a4 03 c1 d4 da 28 91 fa 2e 60 85 e5 d8 73 7b 1d 57 11 dc 7f 10 88 4b 01 db 83 49 70 e6 5a 1d 9f 3a 13 1b ee ba 09 9f 8b 1d 74 e4 80 d7 d5 b0 f3 45 01 60 1a 51 f0 4e 66 93 16 34 39 fe 1c b7 6a 3f 19 63 5a cc 50 eb 47 8a 58 d3 62 3a 42 9b 8c 36 75 03 d7 1a 64 ad dc 4f 35 55 f3 03 be 7f 68 60 9f eb 8a 48 ca 5f cb fe bd 54 52 83 03 96 28 9c a1 3f ba 4f d1 14 5b aa 80 51 8e e5 00 6a 0c ab b0 0c e2 26 20 05 54 fa 2a 51 8b e1 bc 0d 94 54 37 cf 88 60 60 be d1 9b da 7a ab 4c ed 4f 51 f9 4f cd a2 57 b3 74 ed cf 79 a0 a5 1a 66 49 18 b7 5e ce 0b 0e d0 5b b8 78 37 7e 2e 82 de c2 52 7e 74 fb 1d a9 0a b4 3c 20 a4 82 01 db 30 82 01 d7 a0 03 02 01 12 a2 82 01 ce 04 82 01 ca e7 e4 3d 5e f1 ae 49 86 4f 9f 2f 49 cd 4d 16 cc da 33 90 02 0a ae fd ff 5f 90 3b 98 ce 89 cd a0 91 80 89 0d e1 2e 0d fd 2c 2b a9 b1 cb fd d0 55 f6 07 0c 10 bb ff b1 19 4b a4 4c ef f5 8c 21 ad d8 eb 50 3b fc e9 f4 b6 8d 31 e6 11 f7 03 60 99 7a 1b e4 2a aa 21 ea e5 cc e0 ff 2a d9 7b 5f e6 8f 83 26 45 f1 a0 a7 ad 93 b3 3e 3e 19 f7 cb a0 55 84 df ae 4d e5 61 fb d5 ae 02 1f 7b e0 47 bc 96 d7 7c 3c 65 7d ce c1 34 cd c6 02 05 4e 9f 78 af 70 86 8c 3f 8d c5 ff fe 0e 4e d7 87 b7 c3 16 8f 0f 1f 1e 37 ac b3 9d f2 37 a9 52 fc 6e b4 49 6a 33 73 d4 e1 61 fc 78 d1 ff 9a 42 0b 37 cd 3e 1c 83 e7 6d 9c cb 20 63 94 fe bd 9d a6 74 72 a2 2b c3 b5 52 a3 51 d6 8d 28 f4 9f 46 15 e1 02 49 95 c0 e5 59 14 61 a7 f9 9f 67 9f 78 c3 b0 f7 dd 08 82 dd e6 fc 34 1e 69 53 6b 08 38 f7 fe e8 50 20 4a 25 c3 62 7c 0a d2 56 0c 25 6d 42 e1 12 31 be b0 15 17 f9 01 67 f6 ee e4 c0 92 44 07 37 0b 9d aa a2 49 6d aa 43 a4 42 b0 39 13 e3 2b f6 52 25 2f db 82 e7 7a cd 94 47 a2 d2 40 aa 4e 39 3c 27 30 df fe 5a 4c b5 e8 dd 60 cc 6e e1 18 a1 1f 79 32 df 51 ff 18 0e de f6 5f 99 3b 78 47 33 4e 80 80 3e 1c 17 6f 19 78 15 4a 7b e0 35 05 b3 bc f3 43 f1 cc 89 2f 3f 91 b1 3b cd 03 17 aa c6 a1 f5 9c b0 2c 4d 3e 69 68 c6 7d 97 21 6f 76 ed 74 e9 94 6f 44 57 4e fe 45 36 52 57 01 ff d3 b0 d8 65 51 4f ee 4c 70 3c b0 c0 12 20 d1 5c 74 14 7c 91 ca 9b d8 8a 4b 8d dc c1 6d 6e b4 20 b6 f7 40 63 d6 59 a9 1c 47 d1 33 c4 3b SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.48018.1.2.2 SpNegoToken NegTokenInit: reading Mechanism Oid = 1.2.840.113554.1.2.2 SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.30 SpNegoToken NegTokenInit: reading Mechanism Oid = 1.3.6.1.4.1.311.2.2.10 SpNegoToken NegTokenInit: reading Mech Token SpNegoContext.acceptSecContext: received token of type = SPNEGO NegTokenInit SpNegoContext: negotiated mechanism = 1.2.840.113554.1.2.2 SpNegoContext.acceptSecContext: negotiated mech adjusted to 1.2.840.48018.1.2.2 Entered Krb5Context.acceptSecContext with state=STATE_NEW Looking for keys for: HTTP/devexample.domain....@domain.com Added key: 18version: 4 >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType ==> /usr/local/tomcat.base5/logs/catalina.2024-02-23.log <== 23-Feb-2024 11:13:14.539 SEVERE [ajp-nio-127.0.0.1-8509-exec-8] net.sourceforge.spnego.SpnegoHttpFilter.doFilter HTTP Authorization Header=Negotiate YIIH/QYGKwYBBQUCoIIH8TCCB+2gMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCB7cEggezYIIHrwYJKoZIhvcSAQICAQBuggeeMIIHmqADAgEFoQMCAQ6iBwMFACAAAACjggWkYYIFoDCCBZygAwIBBaEVGxNSRUFMTFlHT09EU1RVRkYuQ09NojAwLqADAgECoScwJRsESFRUUBsdcmdzZGV2Ym94LnJlYWxseWdvb2RzdHVmZi5jb22jggVKMIIFRqADAgESoQMCAQaiggU4BIIFNAMiXKpKK/gqVlt7KwKQ1CUXtzSDDFoxSrCHaG03xiRp7i7LZdmJjr8PNYzCAX/QcFGpGbHmUakNpcBvwZSZUo/dWjn/d/DugjUu3rah9Ha129eWAdfIoR/UVR4lvQmqEAvIpuMasddi/zMArT1le0iVA9VU38M+Q5Wru2LxhIWy5tAq1yRjqe13ExyQvIis8eImT+rqa7Koq4w59UvSl3lu0Hlu02sTUHGeMd5z5qbnhn7BFi5Oyj5z9Jnt3scBSHWyauKkGsnNcsHLHtLAOZ2j9hB3f8f43vx1FkkfqkXmLdqLaDB/6+6hM4stdD0zuGyoE/pUWGxTilfODUwGYzXNI9EpQ9cj6nPZiQghJYgGIpRpNDkSRTF/TLJpn9jvTwsvnIgRIfxQYo8bbgAGoA4f4g+bY3NjKqdi2Vx92ZP4vjQstBigYK+1lsR1bYlG0RYzZje/gzBQOvreB5dQTaQ+L8Qhv3ZpzeJrozCRBKBs3cVg6x3MfZ5RTZcCKsYwHExPF2VpEGatO7cb5cTAPVjMGvZwjYleCorac9np2uoafHaXnycOW8XCRQ4Mh1vj7xMmNASEcHWFQ3doUS6jIINEXznPh2uISvHVQuvVRcIH6ud3k0oJDQ2B41DfwkJy55JsmZkQQoeGJ36CI8aMtAsziP2zJqGJvDfe5aeMG/TGq5rR4c7unp5y7Ho2SpNhbkFAaWGqb0kDJSP2icEnYx/FMXU0KpCnRTREZKdZ/MF+49y5zRNU+ej+IGYTNyf8kfZ1XBLG7uhwVSshrGbuFuffIOX9PXlcx1yoscZbezvNKlNMPHN+FFvCFcs1M4WLK8SkYuYyIxTrcIcgdq/i+JrB0j/d/cK/rRX9l++OsayPkTkYlCu2mqa+XrulxiXUgNPf/4YQWPMjsHnyM/Nd9GTNwgBSVIFyW7sXtQBQG7Q3E84ikV9yDJK/+CQVO0Zwvd+czj3UbYdTbaR0FYvTeXt/6C5dw3peM5Ng/03m6aHZRi5rNnTSTS0B/0L5yOQDJ2RuLIAsKvfAMSzye17A5ZfiNj6gV9kwdBNpffnmmI75hntXq8LQZyX3K4qNtG9OGhHu3/O8H+rmxw7N62Q79tgknpdNdzppoJoWuUDFj+mefCpwwPMlYW8akyHTLFQdlBoZUUs+lXWFE7H2IDh3eKQ1KoYLr/TGCPmBlzdb7n3vx+30LLhyARfx3LfRp2mV4RE4sec7OS+o4NpHglV7tc7S1NEVQ6kFOlKIm9mDSQMy6MY0Arw0Y1OvMuEpZJm67JtBA1t96gpmmvF+Dv3aPVGfO75Sd4RxjHywNB38JU9KRs7ki5pgfSAgPFzHRv6vIS47I9jTMHkUS+a4VJD5PgZKQVA3t+ll1+ER03+Ehse//088W9TdKAPTwbupbX9kxFpc6M6a/GLr0G6/VG2J+F+rm307ANLbuAG6bzC3AbHVetJUj0nAWGjB9s7E8nnHUdHKd/Brg2NTKoXmVXRbFUuNDc4f+dWfKA6mkKQDwdTaKJH6LmCF5dhzex1XEdx/EIhLAduDSXDmWh2fOhMb7roJn4sddOSA19Ww80UBYBpR8E5mkxY0Of4ct2o/GWNazFDrR4pY02I6QpuMNnUD1xpkrdxPNVXzA75/aGCf64pIyl/L/r1UUoMDliicoT+6T9EUW6qAUY7lAGoMq7AM4iYgBVT6KlGL4bwNlFQ3z4hgYL7Rm9p6q0ztT1H5T82iV7N07c95oKUaZkkYt17OCw7QW7h4N34ugt7CUn50+x2pCrQ8IKSCAdswggHXoAMCARKiggHOBIIByufkPV7xrkmGT58vSc1NFszaM5ACCq79/1+QO5jOic2gkYCJDeEuDf0sK6mxy/3QVfYHDBC7/7EZS6RM7/WMIa3Y61A7/On0to0x5hH3A2CZehvkKqoh6uXM4P8q2Xtf5o+DJkXxoKetk7M+Phn3y6BVhN+uTeVh+9WuAh974Ee8ltd8PGV9zsE0zcYCBU6feK9whow/jcX//g5O14e3wxaPDx8eN6yznfI3qVL8brRJajNz1OFh/HjR/5pCCzfNPhyD522cyyBjlP69naZ0cqIrw7VSo1HWjSj0n0YV4QJJlcDlWRRhp/mfZ594w7D33QiC3eb8NB5pU2sIOPf+6FAgSiXDYnwK0lYMJW1C4RIxvrAVF/kBZ/bu5MCSRAc3C52qokltqkOkQrA5E+Mr9lIlL9uC53rNlEei0kCqTjk8JzDf/lpMtejdYMxu4RihH3ky31H/GA7e9l+ZO3hHM06AgD4cF28ZeBVKe+A1BbO880PxzIkvP5GxO80DF6rGofWcsCxNPmloxn2XIW927XTplG9EV07+RTZSVwH/07DYZVFP7kxwPLDAEiDRXHQUfJHKm9iKS43cwW1utCC290Bj1lmpHEfRM8Q7 *Here is my setup:* Tomcat bin/lib directory exist in /usr/local/tomcat/ Each instance lives in /usr/local/ /usr/local/tomcat.base1/ /usr/local/tomcat.base2/ /usr/local/tomcat.base3/ /usr/local/tomcat.base4/ /usr/local/tomcat.base5/ --> Where there is an issue *SPNEGO Filter =====* /usr/local/tomcat.base5/conf/web.xml <filter> <filter-name>SpnegoHttpFilter_devexample</filter-name> <filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class> <init-param> <param-name>spnego.allow.delegation</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.allow.basic</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.allow.localhost</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.allow.unsecure.basic</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.login.client.module</param-name> <param-value>spnego-client_devexample</param-value> </init-param> <init-param> <param-name>spnego.krb5.conf</param-name> <param-value>/usr/local/tomcat/spnego.krb5.conf</param-value> </init-param> <init-param> <param-name>spnego.login.conf</param-name> <param-value>/usr/local/tomcat/login_devexample.conf</param-value> </init-param> <init-param> <param-name>spnego.login.server.module</param-name> <param-value>spnego-server_devexample</param-value> </init-param> <init-param> <param-name>spnego.prompt.ntlm</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>spnego.logger.level</param-name> <param-value>1</param-value> </init-param> </filter> <filter-mapping> <filter-name>SpnegoHttpFilter_devexample</filter-name> <url-pattern>*.jsp</url-pattern> </filter-mapping> <Connector port="8585" protocol="HTTP/1.1" connectionTimeout="2000" redirectPort="8443" maxHttpHeaderSize="1048576"/> *Server XML =====* /usr/local/tomcat.base5/conf/server.xml <Connector port="8085" protocol="HTTP/1.1" relaxedQueryChars="^{}[]|"" connectionTimeout="20000" redirectPort="8443" /> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8509" protocol="AJP/1.3" redirectPort="8509" address="127.0.0.1" secretRequired="" tomcatAuthentication="false"/> *Login Configuration =====* login_devexample.conf spnego-client_devexample { com.sun.security.auth.module.Krb5LoginModule required; }; spnego-server_devexample { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true keyTab="/usr/local/tomcat/krb5.keytab" storeKey=true principal="HTTP/devexample.domain....@domain.com" isInitiator=false forwardable=true debug=true; }; *KRB5.conf File =====* spnego.krb.conf [libdefaults] default_realm = DOMAIN.COM default_tkt_enctypes = aes128-cts arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-hmac-sha1 aes256-cts aes256-cts-hmac-sha1-96 default_tgs_enctypes = aes128-cts arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-hmac-sha1 aes256-cts aes256-cts-hmac-sha1-96 permitted_enctypes = aes128-cts arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-hmac-sha1 aes256-cts aes256-cts-hmac-sha1-96 forwardable=true [realms] DOMAIN.COM = { kdc = example01.domain.com:88 default_domain = .domain.com } [domain_realm] .domain.com = DOMAIN.COM *Keytab was generated on AD domain Controller* DSADD user "cn=SA_EXDEV_SSO",cn=users,dc=DOMAIN,dc=COM" -pwd password -display SA_EXDEV_SSO -pwdneverexpires yes "SSO-EXAMPLE EXDEV SSO" Went into AD manager and assigned AES256 Bit Encryption on user and checked "Do not require pre-authentication" applied changes SETSPN -A HTTP/devexample.domain....@domain.com -ptype KRB5_NT_PRINCIPAL -mapuser SA_EXDEV_SSO -mapOp set -pass password -out C:\SSO\krb5.keytab -crypto AES256-SHA1 +DumpSalt Went into AD manager and selected "Trust this user for delegation (Kerberos)" I've looked all over the web for this error but It's not very clear as to how to resolve it. I've checked over the configuration too many times to count. Is there a solution to this or a tool to help me further figure out why this is occuring for my setup/configuration? The only comparison I've been able to make between this instance and the other instances is the log message "Added key: 18version: 4" but the other instances are using a different SPN and keytab file. Any help is greatly appreciated. Thanks, Tom