single sign on - SPNEGO with Tomcat error: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) -

single sign on - SPNEGO with Tomcat error: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) -

i trying implement browser based single sign on using spnego tomcat.

i have followed instructions on these 2 pages:

http://spnego.sourceforge.net/pre_flight.html http://spnego.sourceforge.net/spnego_tomcat.html

when accessed hello_spnego.jsp firefox or chrome, asked username , password, , showed me username perfectly; worked charm. however, when tried access ie, getting error:

http status 500 - gssexception: failure unspecified @ gss-api level (mechanism level: checksum failed) type exception study message gssexception: failure unspecified @ gss-api level (mechanism level: checksum failed)

while trying solution, came across page: http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-1619890.html

i followed client configuration instructions in sec half of page. after that, 3 browsers (chrome, firefox , ie) show same error, none of them inquire username , password anymore.

i have verified business relationship used talk kdc working correctly. also, have username , password specified in web.xml file, don't have separate keytab file.

for diagnosis purposes, here contents of krb5.conf , login.conf files:

krb5.conf

[libdefaults] default_realm = devid.local default_tkt_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5 default_tgs_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5 permitted_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac arcfour-hmac-md5 [realms] devid.local = { kdc = cdi-prod.devid.local default_domain = devid.local } [domain_realm] .devid.local = devid.local

login.conf

spnego-client { com.sun.security.auth.module.krb5loginmodule required; }; spnego-server { com.sun.security.auth.module.krb5loginmodule required storekey=true isinitiator=false; };

since don't have keytab file, it's not mentioned in login.conf file.

also, since i'm using aes256-cts encryption, have added requisite jce policy files (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html) in jre/lib/security folder of jdk.

fyi, i'm using tomcat 8 , jdk 1.8.

i appreciate insight on what's happening here. if need more information, please allow me know. in advance!

i having same issue, , found reply in this post:

...go advanced settings of ie (internet options > advanced tab) , disable "enable integrated windows authentication" checkbox, error goes away, , able see logged in user's handle on ie well...

revert changes made after next oracle article before trying this.

tomcat single-sign-on spnego