I'm implementing spnego sso authentication on a Linux tomcat 7.0 installation and following the example at: http://spnego.sourceforge.net/index.html fairly well. I passed the pre-flight checklist with flying colors and actually have it working with the 'BASIC' ticket in Firefox being passed back and forth.
However, when using the "Negotiate" Authorization header I'm getting the following error message in catalina.out:
INFO: Error parsing HTTP request header
This occurs with both IE and when simulating the request in soapUI. The response sent back to both is:
400 Bad Request
As I said, it is working in Firefox, but only partially in the fact that it prompts for a login there, the proceeds with the "Basic" authentication. (At least is does until I turn it off in the web.xml filter configs, so I know those configs are being read)
I'm using the following enctypes:
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac-md5
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc arcfour-hmac-md5
I suspect it has something to do with the 256 encryption, but I did download and put them into my java lib/security folder the unrestricted encryption jars as described in the following:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/jgss-features.html
However that did fix the issue (unless there is something there I am missing). I have searched extensively for the 'Error parsing...' http error which shows up in the catalina.out file, but have not found the solution. The other settings (realm, domain, etc) seem to be working fine as I have modified them and gotten different more specific errors.
Any ideas on the INFO: Error parsing HTTP request header
error?
This is an internal corporate environment, and SSO has already been successfully implemented with httpd but we would like to move away from that to an all-tomcat solution.