Help with SPNEGO error
Daniel Lutz
daniel.lutz at switch.ch
Tue Oct 29 07:31:50 EDT 2019
Wessel, Keith [28.10.19 23:00]:
> We're experimenting more with SPNEGO and are currently running into an error resulting in a SPNEGONOTAVAILABLE exception:
>
> 2019-10-28 16:05:50,237 - ERROR [net.shibboleth.idp.authn.spnego.impl.SPNEGOAuthnController:180] - Error extracting principal name from security context, check for hostname mismatch or other causes of a missing service ticket
>
> I see a reference to this in the list archives from a few years ago with no real resolution: https://shibboleth.1660669.n2.nabble.com/SPNEGO-amp-IDP-3-2-1-td7625753.html
>
> The explanation from SWITCH was that the client had a valid Kerberos ticket, but the service for getting a "service ticket" was not available.
While searching my archives, I found a hint to the solution to the problem described
in https://shibboleth.1660669.n2.nabble.com/SPNEGO-amp-IDP-3-2-1-td7625753.html.
(Unfortunately we missed to send a comment to the list and to add a note
to the documentation back then.)
Is your service DNS name a CNAME pointing to another DNS name?
In this case, the client may use a wrong service principal name (SPN).
Please can you check your DNS names of your IdP service?
Example (according to my understanding):
IdP is reachable at idp.example.org, which is a CNAME to server1.example.org.
The client may try to get a service ticket for HTTP/server1.example.org at EXAMPLE.ORG.
(See e.g. https://docs.microsoft.com/en-us/previous-versions/office/sharepoint-server-2010/gg502606(v=office.14)#kerberos-authentication-and-dns-cnames)
(Why Java "accepts" the ticket in this case is not clear to me. This could be a bug, as mentioned
by Scott.)
This problem seems to affect some browsers (IEs) only. Have you tried with other browsers
(Firefox, Chrome) too?
Daniel
More information about the users
mailing list