SPNEGO/Kerberos Authentication

NOTE: A bug was fixed related to Kerberos authentication, please update to version 4.7 or higher.

TGT accessibility

By default, Windows does not allow the session key of a TGT to be accessed. Following registry key should be added on the client side, to make the session key for TGT accessible.

For Windows XP, Windows 2000, Windows 7 and later Windows versions the registry key 
and value should be:
Value Name: allowtgtsessionkey
Value Type: REG_DWORD
Value: 0x01

Add following VM parameter to ${SoapUI_INSTALL_DIR}/bin/soapUI-pro-<version>.vmoptions

And run kinit to get the first TGT.


This should be enough, restart the SoapUI and use SPNEGO/Kerberos in the authentication header and set the username. 


If above doesn't work then the further configuration is required as mentioned below.

Realm and KDC Info

Create a configuration file krb5.conf, krb5.conf should contain the realm info and hostname of the KDC. Save the krb5.conf in a directory which can be accessed by the application (Let's say: C:/kerberos).

The content of the file should look as following:

 default_realm = STHLM.SMARTBEAR.LOCAL
 udp_preference_limit = 1
 kdc = dc02.sthlm.smartbear.local 
 default_domain = STHLM.SMARTBEAR.LOCAL

Where STHLM.SMARTBEAR.LOCAL should be replaced with the realm for the domain.

Where STHLM.SMARTBEAR.LOCAL should be replaced with the realm for the domain. And KDC (Key Distribution Center) should refer to the correct KDC server.


Create a keytab file to store the user credentials, this will be used if the session key of the user is not available in TGT cache. Store the keytab file (username.keytab) to an appropriate directory (C:/kerberos) . The computer should be in domain and user should be logged in, using the credentials for the domain, to create the keytab file.

The username and password should be changed to real credentials and file name should be changed to appropriate name.


JAAS login config file

A configration file (login.conf) should provide the configuration for the LoginModule.

The file content should look as below, user.name should be replaced with the real username and the keytab file path refer to the keytab file generated in previous step:

com.sun.security.jgss.login {
com.sun.security.jgss.initiate {
com.sun.security.jgss.accept {
  com.sun.security.auth.module.Krb5LoginModule required client=TRUE useTicketCache=true;

Create and save this file to appropriate directory (C:/kerberos).

Setting up environment variables

Add following parameters to SoapUI VM options, by adding them in the file ${SoapU_INSTALL_DIR}/bin/soapUI-pro-<version>.vmoptions

-Djavax.security.auth.useSubjectCredsOnly=false #(if not already added)

Restart SoapUI and use the username in NTML/Kerberos authentication header.