I finally configured my JBoss AS 7 server to use SPNEGO on an AD domain against Windows 2008 R2. I'm using Java 7.

When a user accesses the server URL from somewhere other than a domain computer (say, from a mobile phone or the wider Internet), they're prompted for a username and password then I get the error:

Login failure: javax.security.auth.login.LoginException: Unsupported negotiation mechanism 'NTLM'

When the user access the url when logged in on the domain it's all ok.

On the SPNEGO security-domain (standalone.xml) I configured 2 login-modules:

First: org.jboss.security.negotiation.spnego.SPNEGOLoginModule

Second:

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
    <module-option name="password-stacking" value="useFirstPass"/>
    <module-option name="usersProperties" value="file:${jboss.server.config.dir}/spnego-users.properties"/>
    <module-option name="rolesProperties" value="file:${jboss.server.config.dir}/spnego-roles.properties"/>
    <module-option name="defaultUsersProperties" value="file:${jboss.server.config.dir}/spnego-users.properties"/>
    <module-option name="defaultRolesProperties" value="file:${jboss.server.config.dir}/spnego-roles.properties"/>
</login-module>

The question is: How can I fallback to BASIC or FORM when SPNEGO is out of scope?

Thanks

Full exception follows:

00:40:23,751 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--0.0.0.0-9090-8) Login failure: javax.security.auth.login.LoginException: Unsupported negotiation mechanism 'NTLM'.
        at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.spnegoLogin(SPNEGOLoginModule.java:230) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
        at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.innerLogin(SPNEGOLoginModule.java:194) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
        at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:137) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_05]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_05]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_05]
        at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_05]
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) [rt.jar:1.7.0_05]
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_05]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0_05]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0_05]
        at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_05]
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0_05]
        at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.7.0_05]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
        at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
        at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187) [jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
        at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_05]

Honestly, I would suggest you using the Spring Security with SPNEGO extension. Please see something like: http://blog.springsource.org/2009/09/28/spring-security-kerberos/

After that, you can have MORE authentication providers.

Citation taken from: Multiple Authentication Providers in Spring Security

You can specify as many providers as you want. They will be checked in same order you declared them inside the authentication-manager tag. Once a successfull authentication is made, it will stop polling the providers. If any provider throws an AccountStatusException it will also break the polling.

This way, you will not be dependent on specific application server configuration.

You would need to modify WEB-INF/web.xml file to fallback to basic:

<context-param>
  <description>BASIC Authentication FallBack</description>
  <param-name>org.jboss.security.negotiation.NegotiationAuthenticator.BasicAuthFallBack</param-name>
  <param-value>true</param-value>
</context-param>

See here for details:

https://issues.jboss.org/browse/SECURITY-793