[jcifs] kerberos debug tool

Asaf Mesika asaf.mesika at gmail.com
Wed Apr 9 07:35:35 GMT 2008

Ooohh, the painful Kerberos issue, we've been dealing with here for the past
two months.

Here's what we've done to debut the IE and Kerberos issues:

*Step 1: Install WireShark on the client machine. *
This software will be able to monitor all http request and responses send
back and forth between your server, and between Active Directory and your
client machine.

Active directory filter: ip.port == 88 && http
Using this filter you will be able to see if IE requests a Service Ticket
for your application server, from the Active Directory.
If it does, and receives a "No such Service registed in Active Directory"
type response (from AD), you should do the following:
- Make sure you've used the fully qualified name of your application server,
when you've created the SPN in Active Directory (Usually done using
ktpass.exe utility). For example: appserver.ibm.com.
If it does, and receives a Service Ticket - then you've got a problem, since
I don't think it happened to us.

Well, no more steps to solve this issue (there are more, but related to
debugging the Kerberos Login Module by Sun).


On Wed, Apr 9, 2008 at 10:17 AM, Rohnny Moland <rmoland at gmail.com> wrote:

> Hi,
> Are any of you aware of a tool for debugging kerberos in internet
> explorer? Or a howto on how to setup kerberos in firefox 2. Kerberos
> seems to work fine between my linux box (kerberos "client" where I run
> my j2ee application) and windows 2003 server running active directory
> service. I can run both kinit HTTP/sam08-linux.TESTDOMAIN and kinit -k
> -t /usr/local/kerberos/ldap_jaas.keytab HTTP/sam08-linux.testdomain
> from my linux box.
> What I have done in IE 6 is:
> - enabled integrated windows authentication in the advanced tab
> - enabled automatic login in intranet zone
> - added the website of my linux box as a local intranet site
> I have also set 3 system properties in java for my app server:
> -Djava.security.krb5.conf=/etc/krb5.conf
> -Djava.security.krb5.kdc=
> -Djava.security.krb5.realm=TESTDOMAIN
> But I am totally lost how I can debug this..After trying to switch
> from ntln authentication to kerberos, my internet explorer pops up a
> dialog box asking me to enter username/password. I assume this must be
> because it cannot get the kerberos ticket somehow.
> Kind regards,
> Rohnny
-------------- next part --------------
HTML attachment scrubbed and removed

More information about the jcifs mailing list