Skip to content

401 SPNEGO SSO with Linux client

I can’t manage to configure my Ubuntu VM to single sign-on on my Spring Security web application under Spnego. Did I do anything wrong or am I missing something?

I already got to SSO on a Windows 7 VM, so I believe it’s Linux specific.

My configuration is detailed below.


I have four machines that run in two different hardware:

  1. the VM KDC running Windows Server 2008 (hardware A)
  2. running the Tomcat 7 web application (hardware A)
  3. VM Windows 7 client which SSO works (hardware B)
  4. VM Ubuntu 17.10.1 client which SSO doesn’t work (hardware B)


My SPN, krb5.ini and login.conf were based on this thread’s description.


I basically followed Spring Security Kerberos – Reference Documentation, except removing form login, resulting on:

@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private String servicePrincipal;

    private String keytabLocation;

    protected void configure(HttpSecurity http) throws Exception {
        AffirmativeBased affirmativeBased = new AffirmativeBased(Arrays.asList(new RoleVoter(),new WebExpressionVoter()));
            .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))

    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

    public SpnegoEntryPoint entryPoint() {
        return new SpnegoEntryPoint();

    public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
        LoginKerberosAuthentication provider = new LoginKerberosAuthentication();
        SunJaasKerberosClient client = new SunJaasKerberosClient();
        return provider;

    public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(
        AuthenticationManager authenticationManager) {
        SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
        return filter;

    public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {
        KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
        return provider;

    public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
        SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
        ticketValidator.setKeyTabLocation(new FileSystemResource(keytabLocation));
        return ticketValidator;

    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();

    public UsuarioDetailsService usuarioDetailsService() {
        return new UsuarioDetailsService();

Ubuntu client

To join the domain I followed the steps:

sudo apt-get install realmd krb5-user software-properties-common python-software-properties packagekit

sudo realm join COMPANY.local -U 'administrator@COMPANY.LOCAL' -v

Until I got to generate kerberos ticket with:

kinit my_ubuntu_user@COMPANY.local

I actually checked cache with klist, that outputed:

Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: my_ubuntu_user@COMPANY.local

Valid starting        Expires                Service principal
30/10/2018 17:25:47   31/10/2018 03:25:47    krbtgt/COMPANY.local@COMPANY.local
            renew until 31/10/2018 17:25:43

And lastly, I authenticated successfully using:

sudo su my_ubuntu_user@COMPANY.local

SSO – the problem

When I try to access my application homepage using Firefox (with trusted sites config) just as I do with the Windows 7 client, I only get the 401 Negotiate header and no response token is sent. Meaning that, when I input an actual url to SpnegoEntryPoint constructor, I get redirected to this fallback.

Thank you in advance



Thanks to Samson’s comment I was able to make it work.

I was indeed switching to an empty cache by doing sudo su my_ubuntu_user@COMPANY.local, what made my application login respond 401.

User contributions licensed under: CC BY-SA
1 People found this is helpful