I have a spring security based kerberos authentication which has been working fine, however, suddenly it started missing the negotiated request (the 2nd request from client after spring initiated the NEGOTIATE).
somehow, instead of sending two requests from client, spring only received the first request, followed by a call to /favicon, which instead should be same endpoint if it’s working.
I have then added /favicon to the
permitAll() list, which then resulted in 2nd state.
It took me really a great mount of time to figure this out, but in short, it’s due to the HTTP header from client after KDC/TGT’s encrypted message suddenly become larger (likely KDC/TGT has sent more data) than tomact default threshold.
The working result: