Our web application deployed on JBoss 4.2.3 GA version is using SPNEGO security-negotiation-2.0.3.GA for single sign on to autheticate users with Active directory.
Windows 2003 R2 SP2 Active directory (KDC)
JBoss 4.3.2 GA on Linux 5.3 server
Windows XP 2002 SP3
The KDC domain is oxacmdc.com and the linux server host name is lnx53camdev6.
We have followed the steps given in the user guide and created keytab file ( we have created a user account with different name than the host name of linux server).
setspn.exe -a host/lnx53camdev6.oxacmdc.com jbossuser
setspn.exe -a HTTP/lnx53camdev6.oxacmdc.com jbossuser
ktpass -princ host/lnx53camdev6@OXACMDC.COM -pass * -mapuser OXACMDC\jbossuser -ptype KRB5_NT_PRINCIPAL -out C:\lnx53camdev6.host.keytab
ktab -k c:\lnx53camdev6.host.keytab -a jbossuser@OXACMDC.COM
output of setspn -l jbossuser
Registered ServicePrincipalNames for CN=jbossuser,CN=Users,DC=oxacmdc,DC=com:
The negotiation toolkit tests (basic and host) are successful when launched them from Windows 2003 R2 SP2 and Windows XP client. We are able to access our web application from Windows 2003 R2 SP2 server machine successfully. But when we try to access our application from windows xp 2002 SP3 machine (with the same user logged in as that on windows server), we get HTTP 401 error - "This request requires HTTP authentication ()." The jboss server log reports following error:
2011-09-24 03:01:25,405 8120236 WARN [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-8643-2:) Unsupported negotiation mechanism 'NTLM'.
Any clue why it does not work on Windows XP?
Also would like to know - is it mandatory to create a user account with hostname of the server and if so why?