Chrome show ERR_UNEXPECTED when SPNEGO Kerberos authentication failed

[朱飞]

I follow this guide to integrate my system with Windows AD. So when someone logon windows domain user, he can login to cas automaticly. If user don't use domain user, I want system return normal html login page.

Now I have a problem, when I use domain user, it works fine. But when I use non-domain user, chrome return ERR_UNEXPECTED error page to me. You can see the tcp dump, system already return 401 and login page html, but chrome show error.

Can anyone give me some sugguestions?

JVM: 1.8.0_111

cas-server-core: 3.3

cas-server-support-spnego: 3.3

Chrome: 55

TCP Dump stream by wireshark(non-domain user)

    GET /cas/login?service=http%3A%2F%2Fserver.ictsm.com%3A8080%2Fapp%2F&_validateRequest_=7RBrB6AIqjijhw5c4LjTBvc1vjpHJHWafif1MXGmMr8ZyI22thbzCtqTYkCUfKOn HTTP/1.1

   Host: server.ictsm.com:8080

   Connection: keep-alive

   Cache-Control: max-age=0

   Upgrade-Insecure-Requests: 1

   User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

   DNT: 1

   Accept-Encoding: gzip, deflate, sdch

   Accept-Language: zh-CN,zh;q=0.8

   Cookie: JSESSIONID=3A632B243F57094E9468F972D2BE2E04A48835CCEE575DC9F8B2527FA81E23AD6D48BBF69A6D35623080096949F1FB8092F4

   

   HTTP/1.1 401 Unauthorized

   Server: nginx

   Date: Mon, 16 Jan 2017 07:19:00 GMT

   Content-Type: text/html;charset=UTF-8

   Transfer-Encoding: chunked

   Connection: keep-alive

   Pragma: no-cache

   Expires: Thu, 01 Jan 1970 00:00:00 GMT

   Cache-Control: no-cache

   WWW-Authenticate: NTLM

   WWW-Authenticate: Negotiate

   Content-Language: zh-CN

   

   my login page html

   

   GET /cas/login?service=http%3A%2F%2Fserver.ictsm.com%3A8080%2Fapp%2F&_validateRequest_=7RBrB6AIqjijhw5c4LjTBvc1vjpHJHWafif1MXGmMr8ZyI22thbzCtqTYkCUfKOn HTTP/1.1

   Host: server.ictsm.com:8080

   Connection: keep-alive

   Cache-Control: max-age=0

   Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

   Upgrade-Insecure-Requests: 1

   User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

   DNT: 1

   Accept-Encoding: gzip, deflate, sdch

   Accept-Language: zh-CN,zh;q=0.8

   Cookie: JSESSIONID=3A632B243F57094E9468F972D2BE2E04A48835CCEE575DC9F8B2527FA81E23AD6D48BBF69A6D35623080096949F1FB8092F4

   

   HTTP/1.1 401 Unauthorized

   Server: nginx

   Date: Mon, 16 Jan 2017 07:19:00 GMT

   Content-Type: text/html;charset=UTF-8

   Transfer-Encoding: chunked

   Connection: keep-alive

   Pragma: no-cache

   Expires: Thu, 01 Jan 1970 00:00:00 GMT

   Cache-Control: no-cache

   WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAEgASADAAAAAFAoEAAAAAAAAAAAAAAAAAAAAAADoAOgBCAAAAaQBjAHQAcwBtAC4AYwBvAG0AAgASAGkAYwB0AHMAbQAuAGMAbwBtAAEAHABKAEMASQBGAFMAMQAzAF8AMQA3ADQAXwA2AEMAAAAAAA==

   Content-Language: zh-CN

   

   my login page html