Path: csiph.com!x330-a1.tempe.blueboxinc.net!feeder1.hal-mli.net!news.glorb.com!news-out.readnews.com!news-xxxfer.readnews.com!news-out.news.tds.net!newsreading01.news.tds.net!86597e80!not-for-mail From: "polilop" Subject: SPNEGO TOKEN Message-ID: X-Comment-To: comp.lang.java.programmer Newsgroups: comp.lang.java.security Content-Type: text/plain; charset=IBM437 Content-Transfer-Encoding: 8bit X-Gateway: time.synchro.net [Synchronet 3.15a-Win32 NewsLink 1.92] Lines: 54 Date: Wed, 27 Apr 2011 16:08:12 GMT NNTP-Posting-Host: 96.60.20.240 X-Complaints-To: news@tds.net X-Trace: newsreading01.news.tds.net 1303920492 96.60.20.240 (Wed, 27 Apr 2011 11:08:12 CDT) NNTP-Posting-Date: Wed, 27 Apr 2011 11:08:12 CDT Organization: TDS.net Xref: x330-a1.tempe.blueboxinc.net comp.lang.java.security:109 To: comp.lang.java.programmer Hello, trying to implement some kerberos authentification, and all works fine if authenticating local user, but when i try to authenticate remote user with servlet, through Internet Explorer i keep getting the NTLM token not the SPNEGO. I have done following things: 1. put the requesting site in IE to local-network 2. in the IE extended security option enable Integrated Windows Authentication then you should see a client response something like YIll....... which is true. (nope i get TlRMTVNTUAABAAAAB7IIogoACgAuAAAABgAGACgAAAAFASgKAAAAD0ZJTElQTUNSRURPQkFOS0E= which is NTLM) To configure Intranet Authentication: 1. Click the Security tab, click Local intranet, and then click Custom Level. 2. In the Security Settings dialog box, scroll down to the User Authentication section of the list. 3. Select Automatic logon only in Intranet zone. This setting prevents users from having to re-enter logon credentials; a key piece to this solution. 4. Click OK to close the Security Settings dialog box. In addition to the previous settings, one additional setting is required if you are running Internet Explorer 6.0. 1. In Internet Explorer, click Tools, and then click Internet Options. 2. Click the Advanced tab. 3. Scroll down to the Security section. 4. Make sure that Enable Integrated Windows Authentication (requires restart) is checked, and then click OK. 5. If this box was not checked, restart the browser. I do have JCIFS NTLM setup for entering the site, but afterwards i need to do authorisation with Kerberos to authenticate with EIM to work with jt400 on as400. So when i do httpServletResponse.setHeader("WWW-Authenticate", "Negotiate"); i allways get the NTLM token. Searched the web couldn't find anything apart from the above given steps. --- * Synchronet * The Whitehouse BBS --- whitehouse.hulds.com --- check it out free usenet! --- Synchronet 3.15a-Win32 NewsLink 1.92 Time Warp of the Future BBS - telnet://time.synchro.net:24