Elytron SPNEGO authentication in deployment over HTTPS, EAP requests for HTTPS/hostname ticket. ----------------------------------------------------------------------------------------------- Key: WFLY-8506 URL: https://issues.jboss.org/browse/WFLY-8506 Project: WildFly Issue Type: Bug Components: Security Reporter: Martin Choma Assignee: Darran Lofthouse Labels: eap71_beta_candidate, kerberos, spnego, tls Accessing deployment secured by Kerberos + TLS causes EAP requests from KDC ticket HTTPS/hostname. See network dump krb_https_deployment.pcap in attachement, where TGS-REQ for HTTPS/localhost is captured. If I configure HTTPS/hostname in KDC and kerberos credential factory to use principal HTTPS/hostname it works correctly. But I still believe it is bug: * At least it is not consistent with legacy management interface behaviour (JBEAP-8572). * found 2 sources describing protocol and service does not match 1:1 and for https protocol HTTP/hostname SPN should be used [1][2] [1] https://sites.google.com/a/chromium.org/dev/developers/design-documents/h... [2] https://support.microsoft.com/en-us/help/929650/how-to-use-spns-when-you-...