Help with SPNEGO error

Cantor, Scott cantor.2 at
Mon Oct 28 19:23:48 EDT 2019

On 10/28/19, 6:00 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

> I see a reference to this in the list archives from a few years ago with no real resolution: 

It is, from everything I understand about it, impossible. So Java has a bug, that's my conclusion.
> The explanation from SWITCH was that the client had a valid Kerberos ticket, but the service for getting a "service
> ticket" was not available.

That isn't really possible, and there isn't a step there between the server and the KDC, it's the client that gets the ticket and passes it up. The context claims its been established. In GSS, that means the server successfully decrypted the service ticket from the client for its identity. That call is just trying to extract the name out of the ticket, essentially, so my guess is it's one of those interop bugs between AD and Java where the ticket can't be fully decoded.

> Can anyone tell me if the service principal I'm using to talk to the KDC needs to have special privileges in Active Directory > to be able to validate a Kerberos ticket and obtain the principal it was issued to?

If it did, the context couldn't be claiming to have been established unless it's even more broken and is lying in that step.

-- Scott

More information about the users mailing list