The documentation on configuring Kerberos and SPNEGO has an error. The documentation provides the example Kerberos security domain as: <security-domain name="host" cache-type="default"> <authentication> <login-module code="Kerberos" flag="required"> ... However, it should be: <security-domain name="kerberos" cache-type="default"> <authentication> <login-module code="Kerberos" flag="required"> ... Please note the name change. Otherwise the SPNEGO security domain will not start.
Actually, perhaps the bug is in the SPNEGO login module, because it does have this option in the docs: <module-option name="serverSecurityDomain" value="host"/> However, it was not able to find the Kerberos login module until I changed the name to kerberos. So perhaps it's not a doc bug.