I am running the AWI in a Platform-as-a-Service (PaaS) application cloud. Recently, I pushed the AWI to the cloud again, and discovered that Kerberos-based single sign-on (SSO) stopped working. I have compared working and non-working apps to try to find out where the problem is originating.
There is a message in both logs:
Requesting Authentication from client.
After this message, the working app shows this message:
received a kerberos token that appears to be valid
The not-working app shows this message instead:
received a NTLM ticket instead of a kerberos ticket. This can happen if the client is not in the same domain. Disable SSO for current user and downgrade to ECC authentication.
I enabled kerberos debugging by adding the following to JAVA_OPTS: '-Dsun.security.krb5.debug=true'. I can see in the log that the krb5 debug option is enabled, but I was not able to see any additional Kerberos debugging messages in the log.
I think something might have changed in the buildpack I'm using to push the app (java_buildpack), but I'm not sure what. Any ideas?