I have a Spring App configured with Kerberos and it's working fine for users joined to the AD domain. There are other users who access to the app outside the domain, so Kerberos will not work and they should be prompted for user and password (html form).
If found that in some cases (depending on the browser) this procedure fails with a GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag).
It seems that the browser fails to use kerberos (that's ok because the user is not joined to the domain) and tries to send NTLM token to the App (SpnegoAuthenticationProcessingFilter:149 - Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==) which is not recognized as a Kerberos valid token so it fails with the GSSException.
There are lot of references to this issue in Internet (here, here, and here) and most of them suggest to fix the kerberos issue, but in my case this is not a kerberos issue because there are users that are not joined to the domain.
So, is there any way to force the kerberos fallback to the html form instead of sending the NTLM token ?
This is my configuration block on the spring-security.xml
<http entry-point-ref="spnegoEntryPoint" use-expressions="true">
<intercept-url pattern="/logout" access="permitAll"/>
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<form-login login-page="/login"/>
<custom-filter ref="spnegoAuthenticationProcessingFilter" before="BASIC_AUTH_FILTER" />
<csrf disabled="true"/>
</http>
