Ace

I have run into this proble many  times. This happens each time I change the password of the user account under which I have set the SPNs for my WebLogic Server instance.  When I checked wireshark traces, I could see browser sending a SPNEGO token to WebLogic, and this token had kvno as "6". But when I checked my keytab file (on WebLogic side, using command " klist -ke -t mac5keytab "), I could see "5" as kvno againt HTTP principal. Digging deeper, I used "ADSIEdit.msc" on my AD server and opened the user account and could see the value of attribute "msDS-KeyVersionNumber" was "6". So password change increments this attribute value and browser sends the latest "kvno" (in agreement with KDC, I suppose). I also ran into the same error when I enrolled a windows 2008 R2 server with Windows 2003 (here my AD and KDC are located). This happened even when I had used a total different user account during enroll process.

Oracle Java SE 1.6 has an inbuild HTTP client that now supports SPNEGO Negotiate HTTP authentication scheme, with the Kerberos as well as NTLM mechanism. We can harness this client and use it in place of Internet Explorer (IE) to troubleshoot Kerberos SSO issues against Weblogic instance. This makes sense as one faces great challenge in making IE run in debug mode so that one can see what is going on behind the scene. Using JSE HTTP client, we can enable debug flags and see lot of "relevant" information easily. Here you go! 1. We will code a simple JAVA class that will use JSE 1.6 HTTP API (to turn itself into an HTTP client). Here is the sample class: 1: import java.io.BufferedReader; 2: import java.io.InputStream; 3: import java.io.InputStreamReader; 4: import java.net.URL; 5: import java.net.CookieHandler; 6: import java.net.CookieManager; 7: import java.net.CookiePolicy; 8: public class JSEHTTPClient{ 9: public static void main(S

No room for confusion! Kerberos – It is a computer network authentication protocol, which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner. SPNEGO – Stands for "Simple and Protected GSS-API Negotiation Mechanism", and is a pseudo security mechanism that enables GSS-API peers to determine in-band whether their credentials support a common set of one or more GSS-API security mechanisms; if so, it invokes the normal security context establishment for a selected common security mechanism. The primary intention of SPNEGO is to allow a client and server to negotiate a security mechanism for authentication. KDC – Stands for Key Distribution Center. It is the authentication server in a Kerberos environment. Its function is to distribute tickets  for access to the services. Generally, the KDC is composed of three parts: Database as the container for entries associated with the users and services, Authenticat