Help with SPNEGO error

Wessel, Keith kwessel at
Mon Oct 28 18:00:32 EDT 2019

Hi, all,

We're experimenting more with SPNEGO and are currently running into an error resulting in a SPNEGONOTAVAILABLE exception:

2019-10-28 16:05:50,237 - ERROR [net.shibboleth.idp.authn.spnego.impl.SPNEGOAuthnController:180] - Error extracting principal name from security context, check for hostname mismatch or other causes of a missing service ticket

I see a reference to this in the list archives from a few years ago with no real resolution:

The explanation from SWITCH was that the client had a valid Kerberos ticket, but the service for getting a "service ticket" was not available.

I originally thought that the issue was that I had configured the shibboleth.authn.SPNEGO.matchExpression bean for principals being returned from our production KDC but was testing it against our test KDC with different UPN values. But I significantly generalized the principal after the at-sign and got the same results. The above thread leads me to believe it has nothing to do with that.

Can anyone tell me if the service principal I'm using to talk to the KDC needs to have special privileges in Active Directory to be able to validate a Kerberos ticket and obtain the principal it was issued to?

And has anyone else who has run into this problem suggest any other possible causes?


More information about the users mailing list