Hello, We have SSO software called CAS configured for SPNEGO authentication. Clients with windows XP are working correctly with IE and Firefox, authenticating users by NTLM. Clients in Windows 7 are trying to authenticate using Kerberos, and we get this error in CAS: jcifs.spnego.AuthenticationException: Error performing Kerberos authentication: java.lang.reflect.InvocationTargetException... GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)... Looking for information, I have found: "Negoex is needed by Microsoft technology for things such as active directory and can not be disabled. And the latest Java core beta-s does not yet accept it. Everything works fine with Windows XP. This problem only appears with Windows 7 or newer."(http://sourceforge.net/projects/spnego/forums/forum/1003769/topic/3763057) So, I am wondering if there is some news about that: Could NegoEx in Windows 7 be disabled to avoid Java errors? Any tweak in Java to avoid NegoEx error? Java version able to work with NegoEx? In an other way, can Windows 7 be force to use NTLM authentication for SPNEGO in Internet Explorer intead of Kerberos? Help will be apreciated.

This is a known issue of SSO and Windows 7. Microsoft releases a hotfix for this kind of issues. How to enable Windows 7 single sign-on for a website using Windows authentication http://www.andornot.com/blog/post/How-to-enable-Windows-7-single-sign-on-for-a-website-using-Windows-authentication.aspx A tip to configure SPNEGO authentication with Windows 7 http://dmdaa.wordpress.com/2010/09/04/a-tip-to-configure-spnego-authentication-with-windows-7/Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

This is a known issue of SSO and Windows 7. Microsoft releases a hotfix for this kind of issues. How to enable Windows 7 single sign-on for a website using Windows authentication http://www.andornot.com/blog/post/How-to-enable-Windows-7-single-sign-on-for-a-website-using-Windows-authentication.aspx A tip to configure SPNEGO authentication with Windows 7 http://dmdaa.wordpress.com/2010/09/04/a-tip-to-configure-spnego-authentication-with-windows-7/Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Unfortunately, what you suggest is not the solution for this case. The cure explained in http://dmdaa.wordpress.com/2010/09/04/a-tip-to-configure-spnego-authentication-with-windows-7/ has been applied with no success. To remark, clients are using Windows7 with Internet Explorer version 9.0.8112.16421 64-bit Edition. Changing "Local Security Policy > Security Settings > Local Policies > Security Options> Network security: LAN Manager authentication level" to "Send LM & NTLM responses"( and computer restarted) has no effect. Two questions: 1. Why does Windows7 sends Kerberos token (including NEGOEXTS) instead of LM & NTLM response whether the Network security: LAN Manager authentication level policy has been changed? 2. So, is there no way to use a Java SSO service in Windows 7 over Kerberos? Thanks