I'm getting the same error in Windows System Log.
I'm curious if my serverrealm, servername and targetname are "normal"? The same event says:
What is the dollar sign?
Why is the domain name repeated in the Servername?
Why is
XYZ.COM in the name twice in targetname?
The larger context is:
I am trying the waffle-filter demo on my Win 7 dev box.
Windows SSO from any machine in the domain fails.
**********
The really weird part: I have the exact same set up on a Win Server 2012 staging box and it works.
**********
Stack on both boxes:
Waffle 1.6 on Tomcat 7, JDK1.7.0_55 64 bit
On domain
xyz.com (we have no others)
The Waffle 1.6 zip did not have guava, so I got guava-17.0.jar.
All the libs are in the tomcat/libs folder.
Tomcat 7 is installed as a service using the tomcatdev domain service account.
If I try just using tomcat, with no domain, the login check fails when I apply the change.
Web browsers on both boxes have both boxes in the intranet zone:
Both have win auth enabled.
Win 7 box (d001233) is physical and on our 10.10 net, the Server 2012 box (rz1s) is a vm and on our 10.34 subnet.
The clocks on both machines are the same.
The error is from my Win 7 dev box.
Wireshark on the win 7 server says (compressed for your convenience):
KRB Error: KRB5KRB_AP_ERR_MODIFIED, Server Name (Principal): tomcatdev
*one odd thing*: the date on the packet with the err msg says correct day but says 16:14:30 for time when it should be about 9:30 AM.
Checked the clocks on both machines (in the taskbar) and they are the same.
Checked the time on the kerb err in the system log and it says logged 9:08 AM, but the "ServerTime" in the general information says "16:8:50"
Ah, part of the error msgs is in GMT (Z?) and part is pacific coast. 8 hours minus 1 for daylight savings, I guess.
I enabled kerberos logging and got the KDC_ERR_BADOPTION when doing a failed login from another machine.
Remember, the filter demo works fine on Server 2012.
In AD, neither machine had "allow delegation" turned on.
Both tomcat services use the same service user: tomcatdev, a domain user
The spns are as follows:
setspn -L tomcatdev
HTTP/rz1s
HTTP/d001233
setspn -L d001233
RestrictedKrbHost/D001233
HOST/D001233
setspn -L rz1s
WSMAN/rz1s (what is this?)
RestrictedKrbHost/RZ1S
HOST/RZ1S
HOST/
rz1s.xyz.com (caps differences should not matter right?)
Checked for duplicate spns, nothing.
WAffle logging is turned on.
Tomcat logs/tomcat7/stdout has this on last line:
[http-bio-80-exec-3] WARN w.servlet.NegotiateSecurityFilter - error logging in user: The handle specified is invalid
I stopped the test with the basic auth prompt still waiting in the requesting browser, btw.
I have spent the whole week learning Kerb, Wireshark, etc. And I still can't get it to work on the Win 7 box. I've tried on another win 7 machine and get the same problem.
I want to end the week "winning" and enjoy my weekend, please help!
I'm going to try getting a win 7 box on the VMsphere (vs physical) to control for that var (the server 2012 is a vm).
I'll have it in 10.10 then if that doesnt work I'll put it on 10.34.
After that I'm stumped.