I'm having a problem to setup SSO for the intranet websites. Currently i'm working with Tomcat 8.0 and Waffle 1.8.4. They work great, but there is only 1 problem: the browsers (Firefox and IE after the settings were applied as described here and here) can not do Kerberos authentication, only NTLM.
I analyzed the traffic with Wireshark, Tomcat sends the http header field "WWW-Authenticate" and the browser answers a base64-encoded string in the header field "Authentication", that contains NTLMSSP. I guess this is not Kerberos, or is it ?
I read a post (WWW-Authenticate uses NTLM and not Kerberos), that for Kerberos to work, the server has to be registered in the AD with the command setspn.exe. I try to get the right syntax for setspn (described here), but without any luck. The server has the following parameters:
IP: 10.0.0.1
Service: Tomcat-Http
Port: 8080
Accountname: company-net\foobar
I use this command for setspn:
setspn -A "HTTP/10.0.0.1:8080 company-net\foobar"
but not works. Both the server and the client are in the same Windows domain, using Windows 10.
What is wrong with it?
Do i need anything else ?
