We recently introduced Kerberos (SPNEGO) Single Sign-on in our web-portal, and tested it on a
Windows network with
Windows 2003 domain controller.
Now, trying to test it on
Windows 2008 R2 controlled network, SSO just doesn't work due to defective tokens. Up to the moment I was pretty sure that there's something wrong about environment and that were NTLM tokens. We double checked IE settings etc, but nothing helped. Then we checked the following settings for both users (logged on a client test-machine, and the one used as a Service Principal):
This account supports Kerberos AES 128 bit encryption.
This account supports Kerberos AES 256 bit encryption.
.. and error message changed to '
GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256CTS mode with HMAC SHA1-96 is not supported/enabled)
It makes me think that Internet Explorer receives Kerberos tokens at all times, and there's just some configuration missing, or it was ktpass.exe to be incorrectly executed. Here's how ktpass.exe was invoked:
C:ktpass /out portal1.keytab /mapuser USER /princ
HTTP/
[email protected] /pass *