We are trying to implement SSO in our web application with the help of SPNEGO in JBOSS AS 4.2.2.
We are using ‘security-negotiation-2.0.3.GA’ and have followed the user guide Negotiation_User_Guide_(en-US).pdf. After making all changes as mentioned in the user guide, we tried out Negotiation Toolkit web application to test various aspects of SPNEGO configuration. First two tests (Basic Negotiation servlet and Security Domain Test' servlet) were successful, however, for the third servlet (‘Secured’), we are getting following error:
Also, when we run the test using kinit username@KERBEROS.REALM.COM, it prompts us for password. on Entering the correct password, it throws the following exception-
We are using Active Directory with Windows Server 2003 service pack 2, JBOSS AS 4.2.2 on Windows XP service pack 2 and Internet Explorer 6 as client from a Windows XP service pack 2 box.
Could anyone help us fix these exceptions and get our kerberos SSO working? Also, we have some specific questions where we think we might have gone wrong-
1) We executed ktpass as-
Is it correct? Or, do we need to execute it as-
(Note the difference of host vs HTTP)
Documentation at- http://community.jboss.org/wiki/ConfiguringJBossNegotiationinanallWindowsDomain says that we should execute with HTTP while the user guide mentions it should be host.
2) Do we need to execute ktab.exe on the machine where JBOSS is running? Again user guide asks for it but the documentation at the URL given above doesn't mention that.
3) The account created for JBoss server on active directory is using the same name as the name of the server host machine. Is this fine? Or should the account name be different from the name of the machine hosting the server?