Help with SPNEGO error

Daniel Lutz daniel.lutz at
Tue Oct 29 07:31:50 EDT 2019

Wessel, Keith [28.10.19 23:00]:
> We're experimenting more with SPNEGO and are currently running into an error resulting in a SPNEGONOTAVAILABLE exception:
> 2019-10-28 16:05:50,237 - ERROR [net.shibboleth.idp.authn.spnego.impl.SPNEGOAuthnController:180] - Error extracting principal name from security context, check for hostname mismatch or other causes of a missing service ticket
> I see a reference to this in the list archives from a few years ago with no real resolution:
> The explanation from SWITCH was that the client had a valid Kerberos ticket, but the service for getting a "service ticket" was not available.

While searching my archives, I found a hint to the solution to the problem described
(Unfortunately we missed to send a comment to the list and to add a note
to the documentation back then.)

Is your service DNS name a CNAME pointing to another DNS name?
In this case, the client may use a wrong service principal name (SPN).

Please can you check your DNS names of your IdP service?

Example (according to my understanding):

IdP is reachable at, which is a CNAME to
The client may  try to get a service ticket for HTTP/ at EXAMPLE.ORG.

(See e.g.

(Why Java "accepts" the ticket in this case is not clear to me. This could be a bug, as mentioned
by Scott.)

This problem seems to affect some browsers (IEs) only. Have you tried with other browsers
(Firefox, Chrome) too?


More information about the users mailing list