I don't understand much of Kerberos/SPNego and how it's implemented, but something seem to be off.
It's about this method from org.apache.http.impl.auth.GGSSchemeBase:
In my case, it's first called for "Negotiate" (without a value) so that challenge is an empty string, resulting in an empty token.
After that, the method is called a second time for "Negotiate <someBase64String>" but since the state is no longer UNINITIATED , the authentication fails.
Comparing this to the implementation of org.apache.http.impl.auth.win.WindowsNegotiateScheme:
Here, there case described above is handled correctly; an empty challenge isn't processed.
Unfortunately, I can't use WindowsNegotiateScheme as I need to use a keytab file and specify my own user, and I prefer a platform-independent solution anyways.
Is the first implementation buggy or am I doing something wrong? Is there a way to work around this?