I've got a Java client app and a Java server app, and I'm trying to authenticate to the server via Kerberos. The client basically uses http-components and SPNEGO to make a HTTP GET call, but I always get 401 Unauthorized as a result.

I can not spot the error in the Kerberos login sequence below, maybe you guys can:

Debug is  true storeKey false useTicketCache false useKeyTab false doNotPrompt f
alse ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is fa
lse principal is null tryFirstPass is false useFirstPass is false storePass is f
alse clearPass is false
Kerberos-Benutzername [GP_Myuser]: [email protected]
Kerberos-Passwort f³r [email protected]:
                [Krb5LoginModule] user entered username: GP_Myuser@EESERV.
LOCAL

default etypes for default_tkt_enctypes: 23.
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000, number of retries =3, #bytes=144
>>> KDCCommunication: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000,Attempt=1, #bytes=144
>>> KrbKdcReq send: #bytes read=181
>>> KrbKdcReq send: #bytes read=181
>>> KdcAccessibility: remove atlnztdc01.eeserv.local:88
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
         sTime is Tue Jul 05 16:28:31 CEST 2011 1309876111000
         suSec is 250145
         error code is 25
         error Message is Additional pre-authentication required
         realm is EESERV.LOCAL
         sname is krbtgt/EESERV.LOCAL
         eData provided.
         msgType is 30
>>>Pre-Authentication Data:
         PA-DATA type = 11
         PA-ETYPE-INFO etype = 23
         PA-ETYPE-INFO salt =
>>>Pre-Authentication Data:
         PA-DATA type = 19
         PA-ETYPE-INFO2 etype = 23
         PA-ETYPE-INFO2 salt = null
>>>Pre-Authentication Data:
         PA-DATA type = 2
         PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
         PA-DATA type = 16
>>>Pre-Authentication Data:
         PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
default etypes for default_tkt_enctypes: 23.
>>>KrbAsReq salt is EESERV.LOCALGP_Myuser
default etypes for default_tkt_enctypes: 23.
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000, number of
 retries =3, #bytes=222
>>> KDCCommunication: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000,Attempt=1, #bytes=222
>>> KrbKdcReq send: #bytes read=1450
>>> KrbKdcReq send: #bytes read=1450
>>> KdcAccessibility: remove atlnztdc01.eeserv.local:88
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply GP_Myuser
default etypes for default_tkt_enctypes: 23.
principal is [email protected]
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 3D F9 1C A6 3B 94 7B 27   B3
 6C D7 E5 70 77 84 22  =...;..'.l..pw."

Commit Succeeded

Found ticket for [email protected] to go to krbtgt/EESERV.LOCAL@EESER
V.LOCAL expiring on Wed Jul 06 02:28:32 CEST 2011
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 23.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000, number of
 retries =3, #bytes=1452
>>> KDCCommunication: kdc=atlnztdc01.eeserv.local UDP:88, timeout=30000,Attempt
=1, #bytes=1452
>>> KrbKdcReq send: #bytes read=1436
>>> KrbKdcReq send: #bytes read=1436
>>> KdcAccessibility: remove atlnztdc01.eeserv.local:88
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00100000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 512880730
Created InitSecContextToken:
0000: 01 00 6E 82 05 51 30 82   05 4D A0 03 02 01 05 A1  ..n..Q0..M......
0010: 03 02 01 0E A2 07 03 05   00 20 00 00 00 A3 82 04  ......... ......
0020: 6E 61 82 04 6A 30 82 04   66 A0 03 02 01 05 A1 0E  na..j0..f.......
0030: 1B 0C 45 45 53 45 52 56   2E 4C 4F 43 41 4C A2 24  ..EESERV.LOCAL.$
0040: 30 22 A0 03 02 01 00 A1   1B 30 19 1B 04 48 54 54  0".......0...HTT
0050: 50 1B 11 61 6C 66 2D 74   65 73 74 2E 65 6C 69 6E  P..alf-test.server
0060: 2E 63 6F 6D A3 82 04 27   30 82 04 23 A0 03 02 01  .com...'0..#....
0070: 17 A1 03 02 01 03 A2 82   04 15 04 82 04 11 C2 1E  ................
0080: 14 D0 18 19 AF 82 D3 92   7F 62 96 A9 92 F7 94 5B  .........b.....[
0090: FF CA FE 66 2F C8 A9 C6   36 A2 2E FF EB FB CA 3D  ...f/...6......=
00A0: 5D 5B 59 B5 0F E3 B7 B6   29 C2 62 A3 45 44 42 00  ][Y.....).b.EDB.
00B0: DA 14 3D 83 1E 50 3D AA   A9 9F 0C A6 49 4E F3 51  ..=..P=.....IN.Q
00C0: 67 68 14 A4 D3 49 E6 6F   1C 2C 7D 04 7B F2 6E BD  gh...I.o.,....n.
00D0: 23 07 DD CD 09 DC 89 62   73 0E 06 EE 68 28 39 A4  #......bs...h(9.
00E0: 22 3C 92 C0 22 C0 6B 0B   42 4B 95 B5 E5 AC 77 30  "<..".k.BK....w0
00F0: D8 75 A1 8D E8 FC A5 5A   D6 1D A8 5B D4 15 82 C5  .u.....Z...[....
0100: AE 1E 36 48 72 01 9B 3C   FA A9 60 20 1D 9A 84 20  ..6Hr..<..` ...
0110: 41 3F FA 71 A8 07 9C 50   73 FA 03 2B 8D 94 98 C8  A?.q...Ps..+....
0120: 57 A2 87 09 BF 87 26 62   2B 49 40 6A 67 C4 F1 00  W.....&b+I@jg...
0130: 66 55 D7 75 6D A6 2F 28   3C 68 86 1F 29 E1 7E 10  fU.um./(<h..)...
0140: CD 2B F0 78 A7 23 D9 18   8D 5D 98 F9 7D 00 11 78  .+.x.#...].....x
0150: 7B 5E D3 5E EA EE 74 82   B7 93 A4 DA 0E 3C 61 E6  .^.^..t......<a.
0160: B3 D5 5A F3 67 8C 03 4C   0E E6 42 96 8F E0 99 98  ..Z.g..L..B.....
0170: C2 A0 C6 D3 8F B4 A4 CA   99 C1 8A F0 6E 00 E0 BE  ............n...
0180: 95 7F 1F F5 E7 15 3D 0F   CD 22 51 D9 41 D0 5F 01  ......=.."Q.A._.
0190: 48 EB 47 64 B8 74 BC BE   76 0F AE 4B F4 E6 3A 1E  H.Gd.t..v..K..:.
01A0: 2A 62 85 FA 7E 07 E7 8D   60 EC B9 23 10 E3 1B 1E  *b......`..#....
01B0: C5 90 D2 25 BB C5 2C 05   A3 E2 39 D1 FF 70 CF E7  ...%..,...9..p..
01C0: D5 C6 13 E6 BC 60 55 89   C1 B9 FB 0F E4 5D E7 A5  .....`U......]..
01D0: 95 BA F9 70 EC 06 CB 62   E8 AD F3 29 BA 34 FF C2  ...p...b...).4..
01E0: 95 76 21 9B 0D 0B DE 66   05 0E EE 33 31 E7 BE 52  .v!....f...31..R
01F0: 64 DB 91 8B 55 96 5F E7   2D 2A EA E2 D3 BC 5F CD  d...U._.-*...._.
0200: 46 E5 45 A1 07 68 28 BF   1D 32 7D 04 C0 60 97 78  F.E..h(..2...`.x
0210: 4F 8E 4C 92 2B F1 B2 C3   9B 04 D9 43 02 7F A5 27  O.L.+......C...'
0220: A4 8E 48 EE 5E A9 3B 7E   7F C0 54 0D A5 75 D2 B3  ..H.^.;...T..u..
0230: FC 72 3A 80 F4 9A F1 34   7C 51 54 13 F7 9E FE 79  .r:....4.QT....y
0240: 8F 15 5A A7 9E 47 9B 36   10 33 F3 08 EA F2 33 BB  ..Z..G.6.3....3.
0250: 9F 45 61 ED 91 1F CF 30   05 76 C0 56 FB 38 51 25  .Ea....0.v.V.8Q%
0260: 27 1F 39 A5 C9 F9 0C D2   00 F2 6B E2 28 09 B2 30  '.9.......k.(..0
0270: A2 63 68 FE 46 A5 33 E0   60 BB B2 B5 DA 5A 78 2A  .ch.F.3.`....Zx*
0280: 37 FE 16 0D 8E E6 97 52   47 28 B2 D0 92 DB F3 CD  7......RG(......
0290: 9A 5F 98 16 4E C9 96 2C   00 7C FE 96 B0 DE CD 6D  ._..N..,.......m
02A0: 5A BC 13 1B E2 E7 F6 74   DE DC 2B B7 16 AB C0 0F  Z......t..+.....
02B0: BA 4C 08 C3 4F 25 3C 1A   9A E5 36 32 8E D9 C7 10  .L..O%<...62....
02C0: 62 F2 13 BB 62 B4 C5 F2   9D 69 DB 6C 0C 37 E1 AF  b...b....i.l.7..
02D0: F5 C6 D9 CD B5 F6 60 A2   93 DD 98 8C B2 59 C7 7A  ......`......Y.z
02E0: 50 4D 27 7B CC DA C9 28   9D 05 9C E8 FC 57 F8 4A  PM'....(.....W.J
02F0: 12 67 ED 7E 23 AB B5 FB   8A B7 CE 4D DA 1B 7F 1A  .g..#......M....
0300: B3 6F DF 42 9F C4 90 C9   35 D9 77 33 CD 6C C5 B5  .o.B....5.w3.l..
0310: C2 A8 15 8C AE BD AE 5F   0A 0A AB 7C 8C F8 E2 9F  ......._........
0320: 27 3C 27 85 B3 97 D9 9D   DA 6E 56 25 3B BA D5 FB  '<'......nV%;...
0330: AB 24 8B BE B7 26 12 7F   B6 25 E5 26 DE 8D 54 AA  .$...&...%.&..T.
0340: 0B 68 DB 4B 81 AD 9C FD   88 0F 7D 6A 97 79 E5 0F  .h.K.......j.y..
0350: 5B 82 43 6F 05 AE C0 EB   77 A6 E3 39 BE 85 6E F0  [.Co....w..9..n.
0360: B5 F5 0B 13 E7 CC 7B 1E   81 4F 37 77 BB 02 26 C2  .........O7w..&.
0370: D7 2C 80 CD 62 91 A7 0C   F8 D1 76 5C 21 39 A0 93  .,..b.....v\!9..
0380: 83 04 0A F7 1F C3 4B 0B   34 85 2D 90 75 4E FE 31  ......K.4.-.uN.1
0390: 61 BF D8 F3 36 B5 40 BA   06 F8 47 33 D4 DD EE 2A  [email protected]...*
03A0: 9C FB 5E 51 7A 25 F7 C1   3F 4D 58 73 F2 4A 50 EA  ..^Qz%..?MXs.JP.
03B0: 68 09 27 85 F3 2E BB EA   8E B4 D3 7C DC 3B 52 71  h.'..........;Rq
03C0: 87 34 1B 6F 80 D1 D2 F1   7D C3 9E C4 C3 79 8A A7  .4.o.........y..
03D0: DA 0B A2 69 7C DE D5 67   C7 20 AD 97 A2 98 6A E3  ...i...g. ....j.
03E0: A3 59 BD D2 B6 19 18 1D   AB A7 58 3A 56 16 ED 2A  .Y........X:V..*
03F0: 75 73 4E DB 02 B5 77 4B   F5 9D 1D A4 36 ED 39 26  usN...wK....6.9&
0400: B8 A4 CD 7C 79 5E 11 3C   36 9D DA DA E7 F5 D2 9F  ....y^.<6.......
0410: BA 4B 45 E0 67 E5 4F 33   9E 0B 60 E6 76 EB 02 AC  .KE.g.O3..`.v...
0420: CC 24 C4 EB 37 C4 31 B7   EA F3 EA 5B 39 D6 E3 0A  .$..7.1....[9...
0430: DC F8 DE 8B 18 8C E0 25   5C 4B 85 38 B0 99 04 9C  .......%\K.8....
0440: 61 75 17 E3 E6 0C 88 D9   7B C4 9A 2D 25 B3 C1 FE  au.........-%...
0450: 9F FD 12 4F E0 DF CF E6   C1 BA 68 00 32 E8 1F 9A  ...O......h.2...
0460: 2F 0E FB 44 59 53 8B 43   C5 B6 24 D3 76 B4 04 D2  /..DYS.C..$.v...
0470: 39 A9 21 41 EC A3 78 D1   9B 07 64 10 5B 64 EB 18  9.!A..x...d.[d..
0480: 08 5B 2C 45 90 53 C9 90   A0 4C 15 AF 8A D4 80 A4  .[,E.S...L......
0490: 81 C5 30 81 C2 A0 03 02   01 17 A2 81 BA 04 81 B7  ..0.............
04A0: CB D6 6F 4E E7 6C 78 93   EF 6D EA 0C C8 A9 6B 37  ..oN.lx..m....k7
04B0: EB 0E 9C C5 86 9E E6 BA   0D 88 26 BA FE A8 83 86  ..........&.....
04C0: D4 06 52 50 AF 48 BC 8F   66 08 F1 1E A4 97 5E 05  ..RP.H..f.....^.
04D0: 24 B4 DC 44 94 F3 5D 3D   07 17 10 33 15 D8 E0 0C  $..D..]=...3....
04E0: E8 E8 0F 70 E6 23 B3 FF   D5 23 63 02 A4 6B 86 C9  ...p.#...#c..k..
04F0: 88 96 FA 8B 02 3C E6 C6   19 7E 86 58 D5 07 80 8F  .....<.....X....
0500: 21 10 7A F8 2D E2 C0 AE   33 19 A3 87 8F 18 03 A0  !.z.-...3.......
0510: 22 13 37 66 D5 CA 02 02   E9 51 87 D5 E5 7D 3E 84  ".7f.....Q....>.
0520: 6E 62 4A 0B 04 8D CF 79   07 DE 69 3B 49 95 B1 80  nbJ....y..i;I...
0530: F4 9A 86 62 8D BD F4 DA   FB BC 69 97 9A 8D DE 92  ...b......i.....
0540: 0E 8A 65 E7 7C 62 E1 3D   E6 93 AD 6F 0A 53 00 B0  ..e..b.=...o.S..
0550: 2F E7 09 A6 1B 01 72                               /.....r

05.07.2011 16:28:33 org.apache.http.impl.client.DefaultRequestDirector tryExecute
INFO: I/O exception (org.apache.http.NoHttpResponseException) caught when proces
sing request: The target server failed to respond
05.07.2011 16:28:33 org.apache.http.impl.client.DefaultRequestDirector tryExecute
INFO: Retrying request
----------------------------------------
HTTP/1.1 401 Unauthorized
----------------------------------------
<html><head>
<meta http-equiv="Refresh" content="0; url=/share/page?pt=login">
</head><body><p>Please <a href="/share/page?pt=login">log in</a>.</p>
</body></html>

----------------------------------------

Your Kerberos configuration might be completely fine. The 401 messsage means that the authentication itself probably went fine. However, i suspect the webapp only allows users if they are assigned a Role. The SPNego mechanism does not assign such role out-of-the-box. You still need to configure a Realm that performs the mapping.

See also my question on the Tomcat users mailing list. https://mail-archives.apache.org/mod_mbox/tomcat-users/201210.mbox/%[email protected]%3E

What library do you use on the server side? Did you enable debug flags to see what happens when the server processes the service ticket?