IBM Support

PK46336: The SPNEGO trust association interceptor (TAI) receives a NTLM token instead of a SPNEGO token

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as documentation error.

Error description

  • SPNEGO works if WebSphere Application Server is running on a
Microsoft Windows server. However, SPNEGO might not work
with a UNIX-based server. On a UNIX-based server, the
SPNEGO trust association interceptor (TAI) might receive a
NTLM token on a UNIX-based server instead of a SPNEGO token.
The client, or browser, might receive a 401 error.

The root cause of this problem is multiple accounts using the
same service principle name (SPN). This problem caused the
Kerberos Key Distribution Center (KDC) to become confused. It
is likely that the KDC cannot determine which secret key to
use when encrypting the service ticket. Or, the KDC used the
wrong secret key and negotiation fails, which results in an
NTLM token being sent.

To resolve the problem, you can export an LDAP Data Interchange
Format (LDIF) file from Microsoft Active Directory and
search for multiple accounts that use the same SPN. Use the
following command: ldifde -f filename -s <name of dc>

Using the setspn -d command, you can delete the SPN for the
computer account. After that, Microsoft Internet Explorer
can send a Kerberos token using SPNEGO instead of an NTLM
token.

Local fix

  • Remove multiple service accounts from the Lightweight Directory
Access Protocol (LDAP) registry as explained.

Problem summary

  • SUMMARY
This APAR affects users of WebSphere Application Server Version
6.1 who are finding that the Web browser client sends a NTLM
token instead of a SPNEGO token to WebSphere Application Server.

PROBLEM DESCRIPTION:
The documentation does not describe the conditions under which
the Web browser client sends a NTLM token instead of a SPNEGO
token to WebSphere Application Server.

PROBLEM SUMMARY:
The Kerberos service principal name (SPN) has been defined to
Microsoft Active Directory more than once. Either another user
ID is defined with the same SPN or another user ID is defined
with the same SPN, but one SPN includes a port number. The
following categories describe these conditions:

Same SPN but with differing user IDs
setspn -a HTTP/myappserver.austin.ibm.com user1
setspn -a HTTP/myappserver.austin.ibm.com user2

Same SPN and same user IDs, but one ID is defined with a port
number
setspn -a HTTP/myappserver.austin.ibm.com user3
setspn -a HTTP/myappserver.austin.ibm.com:9080 user3
The documentation does not describe these conditions nor does
the documentation provide a method for determining these
conditions.

Problem conclusion

  • The "Problem: Single sign-on is not occurring" section within
the "SPNEGO trust association interceptor (TAI) troubleshooting
tips" topic has been updated to include the following
information in the Description section:
The Kerberos service principal name (SPN) has been defined to
the Active Directory more than once. You have either another
user ID defined with the same SPN or another user ID defined
with the same SPN with a port number defined. The following
categories describe these conditions:

Same SPN but with differing user IDs
setspn -a HTTP/myappserver.austin.ibm.com user1
setspn -a HTTP/myappserver.austin.ibm.com user2

Same SPN and same user IDs, one with a port number defined
setspn -a HTTP/myappserver.austin.ibm.com user3
setspn -a HTTP/myappserver.austin.ibm.com:9080 user3

The following information has been added to the User action
section:

If the problem is with either category of multiple SPN
definitions, then remove the extra or conflicting SPN, confirm
that the SPN is no longer registered with the Active Directory,
and then add the SPN. You can search the Active Directory for
other SPN entries that are causing multiple SPN definitions. The
following commands are useful to determine multiple SPN
definitions:

setspn ?L userid
Returns the message, cannot find account userid, if the SPN is
not registered.

setspn -L
Displays the SPNs that exist.

Date that information will be available externally to customers:
The modified documentation will be available in the 3rd quarter
update to the information centers, which is scheduled to occur
on or before September 30, 2007.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PK46336
    • 

  • Reported component name
    WEBSPH APP SERV
    • 

  • Reported component ID
    5724J0800
    • 

  • Reported release
    61S
    • 

  • Status
    CLOSED  DOC
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2007-06-01
    • 

  • Closed date
    2007-06-11
    • 

  • Last modified date
    2007-06-11
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            10 February 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback