Kerberos SRV Records

Hi,

I have a kerberos authentication issue that has been puzzling me for the last couple of days.

We've got an Apache Tomcat-based web application that utilizes SPNEGO to authenticate client browsers via Kerberos and Active Directory. Our target environment has been Windows Server 2008/Windows 7, and in said environment, everything works perfectly.

Recently, we've been testing with a Windows Server 2003/Windows XP environment, and the authentication will not work. Oddly enough, I haven't been able to find any errors on our application server (where the webapp is deployed), except for log messages from the SPNEGO libraries saying that a kerberos token was not supplied by the browser. So, I decided to break out wireshark and see what the problem might be. Here are my findings:

On the (working) Server 2008 setup:

1. Browser sends a HTTP GET request to the web application
   
2. Web application responds with HTTP 401 WWW-Authenticate Negotiate
   
3. Browser requests a kerberos ticket from the domain controller (and gets one)
   
4. Browser sends a HTTP GET request (this time with the KRB ticket) to the web application
   
5. Web application responds with HTTP 200

On the (not working) Server 2003 setup:

1. Browser sends a HTTP GET request to the web application
   
2. Web application responds with HTTP 401 WWW-Authenticate Negotiate (so far so good)
   
3. Browser makes a DNS SRV request to the domain controller for "_kerberos._tcp.MYDOMAIN._sites.dc._msdcs.MYAPPSERVER.MYDOMAIN.DOMAINSUFFIX"
   
4. Domain controller responds with "No such name"
   
5. Browser makes a DNS SRV request to the domain controller for "_kerberos._tcp.dc._msdcs.MYAPPSERVER.MYDOMAIN.DOMAINSUFFIX"
   
6. Domain controller responds with "No such name"
   
7. Browser makes a HTTP GET request to the web application with NTLM (prompting the user for username/password)

I took a look in DNS, and it looks like those SRV records exist, only WITHOUT the "MYSAPPSERVER" part (as in, "_kerberos._tcp.MYDOMAIN._sites.dc._msdcs.MYDOMAIN.DOMAINSUFFIX"). It's almost like the browser is trying to see if the application server is the KDC, instead of the domain controller? In my research, it seems that the correct SRV query should have been exactly that -WITHOUT the app server .. just to the domain.

Some site-specific information:

• The two setups are completely different networks. In other words, the Windows Server 2008/Windows 7 setup uses one set of Windows Server 2008 domain controllers, and the Windows Server 2003/Windows XP setup uses another set of Windows Server 2003 domain controllers. The LANs are isolated.
  
• For 2008/7, the client browser is IE8. For 2003/XP, the client browser is IE7 (but Firefox 18 has also been tried with the same results)
  
• In all cases of IE, we have made sure to check the "Enable Integrated Windows Authentication" option, and added our web app URL to the list of intranet sites
  

I've done a lot of troubleshooting with our web application and SPNEGO in the past, but I'm not finding any problems there. Rather, the problem seems to be with DNS or some quirk of Server 2003 - and I am very unfamiliar with both. Any help or guidance would be greatly appreciated!