I'm trying to implement Kerberos authentication on Java to use Sharepoint 2010.
Already made tons of configuration: SPN's, delegations, permissions, network.
Using org.ietf.jgss implementation of Kerberos.
Current state is the following: IE works fine, Java app works incorrectly.
Almost the only difference I have now is in Event Viewer\Windows Logs\Security.
If I log in with Internet Explorer, it shows:
An account was successfully logged on.
...
New Logon:
Security ID: COMPANYDOMAIN\myusername
Account Name: myusername
Account Domain: COMPANYDOMAIN
...
Detailed Authentication Information:
Logon Process: Kerberos
Login with my JavaApp:
An account was successfully logged on.
...
New Logon:
Security ID: ANONYMOUS LOGON ------> ???
Account Name: myusername
Account Domain: COMPANYDOMAIN.NET ------> .NET(!)
...
Detailed Authentication Information:
Logon Process: Kerberos
Using Wireshark I can see that ticket was accepted successfully at the endpoint, no difference except the size of encrypted token, even more - SharePoint does work with my java client. The question why is it working under anonymous login is different, I should switch it off somewhere.
The main question is why Security ID is "ANONYMOUS LOGON" while the account name and domain are valid? Delegation\Impersonation problems? But IE is working fine from the machine that is even out of Active Directory.
I can provide additional info if needed: network traffic, SPN's, app pools, permissions, AD configuration.
===========================
SOLVED: The problem is solved by unchecking checkbox "Do not require Kerberos pre-authentication" in Active Directory user account properties (tab Account, section Account options).
