Kerberos performs a negotiation in every request using IE

Environment

• Red Hat JBoss Enterprise Application Platform (EAP)
  • 7.x
• Internet Explorer (IE) browser

Issue

• Kerberos implementation executes full negotiation in every request.
• Everytime the kerberos token is sent a full negotiation is executed.

Resolution

CP 7.0.8 fixes Content from issues.jboss.org is not included.JBEAP-12407 for 7.0.x series. This bug does not affect versions 6.x or 7.1.

Root Cause

The root cause is bug Content from issues.jboss.org is not included.JBEAP-12407. EAP 7 and undertow has modified the way the login information is cached and, in the case of kerberos, if a new token is sent by the browser a new verification is started and, in turn, a full negotiation is executed again.

Internet Explorer (IE) sends the authorization header in every request and initiates the issue (other browsers like firefox don't do the same, the authorization header is just sent when requested and in the following requests the session cookie is managed to maintain the session). Therefore the issue is only shown when using IE.

Diagnostic Steps

• Activate the java options and traces to troubleshoot kerberos.
• Check the negotiation is executed everytime the kerberos token is sent.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.