Hi All,
An information for other users which might encounter this behavior.
If you are developing a network client in .NET in which your want automatic authentication from Kerberos, for example using this code :
Do NOT set the following option on your .NET client WebRequest :
request.ProtocolVersion = HttpVersion.Version10;
Otherwise Tomcat + Waffle filter will not be able to validate the token and will return a 401 :
DEBUG w.servlet.NegotiateSecurityFilter - GET /waffle-filter/index.jsp, contentlength: -1
DEBUG w.s.s.NegotiateSecurityFilterProvider - security package: Negotiate, connection id: 0:0:0:0:0:0:0:1:52440
DEBUG w.s.s.NegotiateSecurityFilterProvider - token buffer: 121 byte(s)
WARN w.servlet.NegotiateSecurityFilter - error logging in user: The token supplied to the function is not valid
Adding more debug code in WindowsAuthProviderImpl.acceptSecurityToken indicates Secur32.INSTANCE.AcceptSecurityContext returns error code 80090308
Worth noting that the same .NET client would work and be authenticated properly with IIS windows authentication which might circumvent the protocol limitation in other way.
It might be obvious for some of you but I lost too much time with this as we had a legacy client in which this option had been forced :)
Olivier
PS : observed with Tomcat 6.0.35, Waffle 1.5