I was using Internet explorer and had added the ip address of to domain controller/ tomcat server to the trusted sites list in the Intranet zone.I was not using https.I was using a Windows 8 client VM to talk to a Windows Server 2012 VM. I have now tried Firefox with SPNEGO and can confirm with this set up I get similar logs and http header WWW-Authenticate: Negotiate is sent. In this test I do not get popup prompt but I still get 401 Http status. almBase.hasUserDataPermission User data constraint has no restrictionsLooking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default etypes for default_tkt_enctypes: 23 18 17.>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=160>>> KDCCommunication: kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=160>>> KrbKdcReq send: #bytes read=185>>>Pre-Authentication Data: PA-DATA type = 11 PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 >>>etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 >>>PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 >>> KdcAccessibility: remove Server2012dc.kerbtest.local:88>>> KDCRep: init() >>> encoding tag is 126 req type is 11>>>KRBError: sTime is Tue Mar 24 >>> 15:06:51 GMT 2015 1427209611000 suSec is 507817 error code >>> is 25 error Message is Additional pre-authentication required >>> sname is krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL eData provided. >>> msgType is 30>>>Pre-Authentication Data: PA-DATA type = 11 >>> PA-ETYPE-INFO etype = 23, salt = >>>Pre-Authentication Data: PA-DATA type = 19 PA-ETYPE-INFO2 >>>etype = 23, salt = null, s2kparams = null >>>Pre-Authentication Data: PA-DATA type = 2 >>>PA-ENC-TIMESTAMP>>>Pre-Authentication Data: PA-DATA type = 16 >>>Pre-Authentication Data: PA-DATA type = 15 KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQdefault etypes for default_tkt_enctypes: 23 18 17.Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7default etypes for default_tkt_enctypes: 23 18 17.>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsReq creating message>>> KrbKdcReq send: kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000, number of retries =3, #bytes=243>>> KDCCommunication: kdc=Server2012dc.kerbtest.local UDP:88, timeout=30000,Attempt =1, #bytes=243>>> KrbKdcReq send: #bytes read=100>>> KrbKdcReq send: kdc=Server2012dc.kerbtest.local TCP:88, timeout=30000, number of retries =3, #bytes=243>>> KDCCommunication: kdc=Server2012dc.kerbtest.local TCP:88, timeout=30000,Attempt =1, #bytes=243>>>DEBUG: TCPClient reading 1467 bytes>>> KrbKdcReq send: #bytes read=1467>>> KdcAccessibility: remove Server2012dc.kerbtest.local:88Looking for keys for: HTTP/tc01.kerbtest.local@KERBTEST.LOCALAdded key: 23version: 7>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType>>> KrbAsRep cons in KrbAsReq.getReply HTTP/tc01.kerbtest.localSearch Subject for SPNEGO ACCEPT cred (<<DEF>>, sun.security.jgss.spnego.SpNegoCredElement)Search Subject for Kerberos V5 ACCEPT cred (<<DEF>>, sun.security.jgss.krb5.Krb5AcceptCredential)Found KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytab for HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound KeyTab C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\tc01.keytab for HTTP/tc01.kerbtest.local@KERBTEST.LOCALFound ticket for HTTP/tc01.kerbtest.local@KERBTEST.LOCAL to go to krbtgt/KERBTEST.LOCAL@KERBTEST.LOCAL expiring on Wed Mar 25 01:06:51 GMT 2015
