Java Security

Hello,

I am having problems using kerberos authentication with my thick Java clien web service applicationt. Previously I was only using NTLM, which worked fine. I used this guide from Sun to set up the NTLM part, which has me writing an extension of the Authenticator: http://java.sun.com/javase/6/docs/technotes/guides/net/http-auth.html. The Authenticator extension is working like a charm for NTLM, but now I need to use Kerberos in a Domain Controller environment. I'm using the same guide, which covers Kerberos and SPNEGO, but the details are a little sketchy. Still, I have my krb5.conf file in place and I've confirmed that my getPasswordAuthentication method is being invoked for the "Negotiate" scheme. I have Wireshark to monitor the packets sent and received. Here is the request and response from my client:

GET /MyServer/Service1.asmx?wsdl HTTP/1.1
User-Agent: Java/1.6.0_06
Host: serverbox
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive

HTTP/1.1 401 Unauthorized
Content-Length: 83
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
X-Powered-By: ASP.NET
Date: Tue, 21 Oct 2008 16:34:50 GMT
<html><head><title>Error</title></head><body>Error: Access is Denied.</body></html>

The problem I see is that Java never makes another request after the 401 message. It will then fall back on NTLM authentication which works. But for other reasons I must use Kerberos.

In the getPasswordAuthentication() method I'm calling some base Authenticator methods for debug. Wnen using Kerberos the values of these look like:
getRequestingHost() returns null
getRequestingPort() returns 0
getRequestingPrompt() returns null
getRequestingProtocol() returns null
getRequestingScheme() returns "Negotiate"
getRequestingURL() returns null
getRequestingSite() returns null
getRequestorType() returns "Server"

Does this look correct in the case of Kerberos? When using NTLM the same methods return more substantial values (instead of just null).

I have debug turned on, and here is some output when trying to invoke a web service method:
[Krb5LoginModule] authentication failed


I have a krb5.conf file that contains this:

[libdefaults]
default_realm = AD.LOCAL
[realms]
AD.LOCAL = {
kdc = domainName
}

And I have a java.security.auth.login.config file that contains this:

com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=false
debug=true
useTicketCache=true;
};


Here is more complete output:

Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache Principal is null
null credentials from Ticket Cache
MyAuthenticator:Request Report: Requesting:
host:null
Port:0
Prompt:null
Protocol:null
Scheme:Negotiate
URL:null
site:null
type:SERVER

[Krb5LoginModule] user entered username: domainName\username

Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17.
Acquire TGT using AS Exchange
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17. [Krb5LoginModule] authentication failed

So it seems as if the system is recognizing my configuration, and the Authenticator is being invoked for the Negotiate scheme, but I can't figure out why Java is not making a Kerberos request with the username/pwd from the my Authenticator, and why the authentication failed.

What is the handshake supposed to look like when for the Negotiate scheme to succeed?
Does anything I'm doing in the configuration stand out as wrong?

Thanks,

Andrew