According to Microsoft documentation, if you register service principal name correctly and your machine is logged onto domain, then when using IE (6 or later) with Integrated Windows Authentication box enabled and the site you are visiting already part
of intranet zone, with automatically log-on setting selected, the browser should be able to send Kerberos token to the web server. We are using Apache tomcat web server, but when the server requests with WWW-Authenticate header to negotiate, apparently, the
browser is always sending NTLM token only (i can see token starts with TlRMTVNT)
When Service principles listed, it looks as below:
C:\Program Files\Apache\bin>setspn.exe -L mydesktop
Registered ServicePrincipalNames for CN=mydesktop,CN=Computers,DC=testdomain,DC=loc:
http/mydesktop.testdomain.loc
http/mydesktop
MSSQLSvc/mydesktop.testdomain.loc:1419
MSSQLSvc/mydesktop.testdomain.loc:SQLINSTANCE1
MSSQLSvc/mydesktop.testdomain.loc:1433
MSSQLSvc/mydesktop.testdomain.loc
HOST/mydesktop
HOST/mydesktop.testdomain.loc
My Web Server URL will be like this: http://mydesktop.testdomain.loc/myapplication
My operating system is windows 2003 server and my connectivity to testdomain.loc is perfectly fine.
I even installed Microsoft resource kit tools and used kerbtray.exe to look at the kerberos tokens. I can see in general there are kerberos tokens, but the browser cannot acquire one and pass it on when requesting the web server though.
If someone can help on this and shed some light on what else we need to take care, it would of great help.
Thank you