I am using kerberos/spnego(KerberosServiceAuthenticationProvider) authentication with spring security to authenticate users from Active directory services performing Single Sign On.
I am able to authenticate the user and access the application. I want to implement the logout functionality, without closing the browser.
Is there any way to expire Kerberos ticket?
This is not necessary because the client-supplied ticket auto-expires. After you have established the context with the client, the ticket is worthless. Every reasonble client initiates the context with replay detection, i.e., the server will detect that the ticket is resent and will signal an exception. Moreover, do not worry about the ticket cache on the client, this isn't your business.
In general the answer is no. And from any code you can execute in a browser the answer is hell no.
The whole point of single sign on is that you sign on once and the credentials are valid until the kerberos credential times out or is destroyed (i.e. logout).
There are various games you can play with cookies to attempt to implement logging out of just this app, but they don't really work that effectively and add a lot of complexity to the application.
If you really need log out from just this app, then you should not be using SPNEGO.
