NIDP server returns "SPNEGO/Kerberos GSS Context already established" while running kerberos authentication

  • 7015038
  • 09-May-2014
  • 09-May-2014


NetIQ Access Manager 3.2
NetIQ Access Manager 4.0


  • NetiQ Access Manager Identity Server has been configured for kerberos authentication

  • All users trying to login using the kerberos method receive the error:
    Error processing SPNEGO/Kerberos GSS Context already established

  • The configured kerberos fallback authentication does not get executed
    configured fallback authentication on the kerberos method:
    FALLBACK_AUTHCLASS  com.novell.nidp.authentication.local.PasswordClass

  • The catalina.out from the NIDP server reports: "Commit Succeeded" for the kerberos authentication configuration

  • A LAN trace show no problems retrieving a kerberos TGT from the KDC for the NIDP server

  • The Workstation sends the requested kerberos TGS over to the NIDP server


User could not be found in the Active Directory Directory Service by the NIDP server running the required LDAP query after receiving the TGS. The  User Principal Names (UPN) used for the LDAP query did not match the users  User Principal Names (UPN). The Domain portion of the UPN was wrong due to historical AD design reasons. Using an additional UP Suffix which runs and LDAP query with an "OR" condition did not fix the problem. UPN was based on an outdated design. After changing the user UPN with th correct value kerberos authentication just worked fine