Browser Hangs when receive WWW-Authenticate: Negotiate
When IE or Chrome on Windows7 receives a response with "WWW-Authenticate: Negotiate " header it hangs for a few seconds.
I would assume it is making a network request to KDC and the request times out. It may be wrong assumption though.
Is the server keytab determines which KDC the browser queries?
Is there any way to debug this?
Thanks!
To answer your first question, avoid making the assumption that it is timing out finding a KDC - only a network capture can tell you that. While it may in fact, be doing that, it could also be failing over to using NTLM and then succeeding on that because Kerberos is broken somewhere.
To answer your second question, the keytab does not determine which KDC the browser queries. There is nothing inside a keytab which would do that. I placed an image of what an example keytab looks like at the bottom of this answer for you. Now, the KDC which gets queried is controlled by DNS. That process would only get over-ridden by values set inside a C:\Windows\krb5.ini - if that file exists - and it doesn't exist on Windows by default. To answer your last question you can debug this using Wireshark captures, filter on 'kerberos' in the WireShark search field to see what the Kerberos traffic may be doing, or not doing. That will tell you all you need to know. 
- Log out from SSO kerberos
- Kerberos kinit: Resource temporarily unavailable while getting initial credentials
- Ansible Windows Kerberos Authentification Bad HTTP response returned from server Code 500
- What TargetName to use when calling InitializeSecurityContext (Negotiate)?
- jna-Waffle interact with windows kerberos ticket cache?
- Encrypt message body using kerberos
- How to Negotiate a Kerberos/NTLM Token in Java?
- How do I use Kerberos js with options principal?
- kinit: Preauthentication failed while getting initial credentials
- Java 17 Allow RC4 HMAC while keeping allow_weak_crypto as false in krb5.conf
- Why do POST requests not work using Spnego/Kerberos authentication with Spring Security Kerberos?
- kinit: Pre-authentication failed: Permission denied while getting initial credentials
- How we can directly use kerberos ldap service ticket to authenticate with ldap and form the LDAP context
- Remove a single kerberos principal from the cache
- Kerberos SSO Issue with AD change of upns in Spring Boot Application
- Is it possible to reference a keytab from the classpath in jaas.conf?
- SASL GSSAPI: ldap_sasl_interactive_bind : Other error (80) no credentials supplied
- Python requests, Kerberos and NTLM
- Kerberos ticket validity
- Kafka Console consumer with kerberos authentication
- JDK 17 (Java 17) +Kerberos authentication fail
- Kerberos Keytab: Getting error while creating keytab for MSA on Active Directory
- Is it possible to disable Hadoop yarn PTR check when kerberos is enabled?
- In tomcat 8, How to provide file path in setenv.bat to read from java class
- How can I renew Kerberos Ticket in Windows?
- Supporting SSO for a REST API under Windows without using SPNEGO
- Can I avoid password typing using okinit utility?
- ASP.NET : impersonation breaks on second website configured on same IIS server involving same "applications" & app pool identity
- GSSAPI Negotiate authentication fails different domain DNS and Windows Active Directory
- Is there a DLL in Windows to implement Kerberos?