IE over the network

Jun 22, 2010 at 12:09 PM

The authentication does not work with the IE over the network. With Firefox and Chrome I does not have any problems. Local the login work with IE but my application not. But this is another problem. From the log and debugging I can see that the IE make 3 requests. Then it popup a login box. After ok it make 3 request and so on.

The difference between local and network is that the third request is also a W32Errors.SEC_I_CONTINUE_NEEDED like the second request.

If I use the IE with an IIS then it work between this computers without problems. Any ideas?

Jun 22, 2010 at 12:46 PM

After I have remove "Negotiate" and use only NTLM it works. We does not have a Kerberos service in our network. There seems a problem with it. Any Ideas?

 

Coordinator
Jun 22, 2010 at 2:50 PM

Most likely you don't have a properly configured SPN. Here're a few links.

http://blogs.msdn.com/b/sql_protocols/archive/2006/12/02/understanding-kerberos-and-ntlm-authentication-in-sql-server-connections.aspx

http://msdn.microsoft.com/en-us/library/ms178119.aspx

 

Jun 22, 2010 at 6:53 PM
How this links help me to fix the problem with WAFFLE. We does not have Kerberos and that also no SPN configure. There is currently no plan to change it because some old server are not compatible with it. The same problem we have with our customers. If I understand then "Negotiate" should be fallback to NTLM. This seems not to work with WAFFLE and the IE. It work with Chrome and Firefox. It work with the IIS and also trusted connections to the SQL Server are possible. If you can not reproduce it then can you give me a idea where I can debug/patch it?
Coordinator
Jun 22, 2010 at 7:11 PM

So you've established that NTLM works, but not Kerberos. Negotiate = Kerberos (preferred) or NTLM (chosen for backward compatibility). Chrome and Firefox are choosing to do NTLM because they don't know better. You can/should verify that by looking at the HTTP trace (try IEHttpHeaders). If you see very long tickets in the Authorization: header, they are Kerberos. Shorter ones (or anything prefixed with NTLM, are NTLM). Certainly in Waffle we could try to force the browser to do NTLM with an option (remove WWW-Authenticate: Negotiate and leave NTLM only, I'll gladly take a patch for an option like this).

Since you have an Active Directory, you have Kerberos. That's the default in Active Directory. Proof is that IE tries to do it. That's the most secure protocol, so IE picks it.

I think you're mistaken that from the same client you can make the call to the same server/port that runs IIS and that works. If it does, post the two HTTP traces, from the success with IE/IIS and from a failure IE/Waffle/Tomcat. I bet your tests are against another server (that has an SPN).

Try wfetch next, see http://support.microsoft.com/default.aspx?scid=kb;en-us;284285. It should hopefuly tell you what the client side problem is.

Jun 25, 2010 at 10:01 AM
Sorry for the delay. We are currently on releasing our software. You are right. We seems to have Kerberos. The IE together with the IIS is using Kerberos. If I use it on a localhost then the IE use a short ticket what means NTLM. Over the network there are large tickets and it does not work. Conclusion: Kerberos does not work with waffle. Here are the dumps from IEHttpHeaders. Thanks for the tip with this nice tool.
========== Working with IIS ==============
GET /test/login.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vb4
Connection: Keep-Alive

HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/7.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="vb4"
X-Powered-By: ASP.NET
Date: Fri, 25 Jun 2010 09:48:57 GMT
Content-Length: 1349

GET /test/login.aspx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vb4
Connection: Keep-Alive
Authorization: Negotiate YIIEtQYGKwYBBQUCoIIEqTCCBKWgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBHsEggR3YIIEcwYJKoZIhvcSAQICAQBuggRiMIIEXqADAgEFoQMCAQ6iBwMFACAAAACjggOGYYIDgjCCA36gAwIBBaEUGxJJTkVUU09GVFdBUkUuTE9DQUyiKTAnoAMCAQKhIDAeGwRIVFRQGxZ2YjQuaW5ldHNvZnR3YXJlLmxvY2Fso4IDNDCCAzCgAwIBF6EDAgElooIDIgSCAx4wLltr4F/9r7uU7gpOe65CdJUdUX6eRZsZ/v2XwpLln90C+1EN7qSt66sKVVW7pyA/ZZRAG9zgvzWMNuZ/Wh+N6vXaH9o2y0cO5XnNHnb6vtFddrWcJRlN6+hg7+Qaw9tjMQNVPXvVt4ErR9Jl8m+2uoTeV0Haan1ZlcbaCGSbACe8jRXDiONu5ZIBxbcftPyBvrTcKbse4ceDtEvUL+otFBTWN5ssrTld83chqOWsEdHTuJPwlX4TdppJM715SlO/O0rpbuRhxWn2ZgrS2wWRYSrkH1NyUnDsxXJXKqO0WXnuKENkQSolRxpHARWZt3512P4mADMlTsmVQgFk3g0zgDyWmeDCPR8wTzrLZyuK2qhsZSL7uR5MIJ95VwWiBjVvFMAv/52Z6vFXbHzzPleaqYuwpvpK/XDuk+pd46yqluW9gRJXo3oiQrizUde+PgVFyiJiad8leoBpUyWHNNYDWR9qclCMBS2kYF3PMTIp/59+qg0OYAGFcIzhWoVTJ4vl1Bz4fUEL8DbtNVbc0iirD7okPzeW5p6uUHYXUKQ+NuKDEVdmFygGcSK36lS9nHMg9v+R4PWRl3PHUVYXuHNaipvi5h6BzBo69hHXn3H1SqtB/cKOnjiHa+SsCwQCvXK/QvIPXjBYrXFNJI4gWFJTa8Bcj4rEcPJdavvUCcDpHMdtgK16o5DACJjA0YGvD1LcvwNKMbVf6+4JkHKt5xVhnfaGA1b/lb19xnbIMFWRu4Zzy+U7A+NKjVAyTWOCsGSYBjCXSOI18ZO1s/c6XpQEeKJNBC8ETQ3xBz2WtZBc7TTzHcJD0tvrEPtc1EZlBSO/p3/g29fOo0o8sWmj4EIsGSHRwCEzLJqxb5TGxuGUiJTkPh1o/5vZLdvXi99ageYuXf3YGaNUYagEeH8jPVswjwD1XoVRB/XaJa990BNqh+T5DT8nLjxjX64nVxGPgNInF/EMw4Ttb4fWPeOsqS8956OCP1oBYAynuE/kvU98A6RjANXQcEBEVM1RuFRaixBsb01/vBsGZeilcvd5UkRki7HeGRHjy/pvNuCO5b6kgb4wgbugAwIBF6KBswSBsFNXLKvSVYpKp20YzEqtN11mw50MnICtM8e0ci2wAwYG5MIE4V/NQeuQbdkgPLTjnuKaihf0nYNapMOsAqzX3EUo2zpaQP0d46jxHKtHZKbywqO+Tgjv7/PwaZCxfehG/MHRdBI+GelwOiO+gftViByg2Dmt4vtNZ+4WcspHwfJDviEMxxQYNEmcG+f8aejD3qCEx2gQcaIbK8U+AcKOpZRl1W8BZh2NYZmGZM+PxBXG

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
WWW-Authenticate: Negotiate oYGgMIGdoAMKAQChCwYJKoZIgvcSAQICooGIBIGFYIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWlIsIkZZFGurt+g1ybDI5H6FsPmws9iWcVYPe+uRa5MCbkFb++RbsgOqLotW/fJxgnYH+jMwGwFL9ERk/tUcRt2YFMMAGvA/+3NUiLTyqD2bha5Z/kSErWc6cQ==
Date: Fri, 25 Jun 2010 09:48:57 GMT
Content-Length: 183



========== Not working with waffle =============
GET /remote HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vb4:9000
Connection: Keep-Alive

HTTP/1.1 401 Unauthorized
Set-Cookie: JSESSIONID=1o11l7boymz89;Path=/
Set-Cookie: JSESSIONID=1o11l7boymz89;Path=/
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="BasicSecurityFilterProvider"
Content-Type: text/html; charset=iso-8859-1
Cache-Control: must-revalidate,no-cache,no-store
Content-Length: 1377
Server: Jetty(6.1.22)

GET /remote HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vb4:9000
Connection: Keep-Alive
Cookie: JSESSIONID=1o11l7boymz89
Authorization: Negotiate YIIEtQYGKwYBBQUCoIIEqTCCBKWgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBHsEggR3YIIEcwYJKoZIhvcSAQICAQBuggRiMIIEXqADAgEFoQMCAQ6iBwMFACAAAACjggOGYYIDgjCCA36gAwIBBaEUGxJJTkVUU09GVFdBUkUuTE9DQUyiKTAnoAMCAQKhIDAeGwRIVFRQGxZ2YjQuaW5ldHNvZnR3YXJlLmxvY2Fso4IDNDCCAzCgAwIBF6EDAgElooIDIgSCAx5U3xg8sIMuJgyeTMPsTcMhsfll5E1PXHDtF01DNtWFi+aCqtYDWsqp+oZFwQvVi5Vl4QlI5y9GzNeKoXW+A8MbgbrTh0d5CbIJWCV7U/d6PPCC1/N9/t/Ik7MOsZaYjllo1xDeaOejXN1MYk1kzmIgYwKfK710nFNAfpt1ohMaycoKqeAxwIlY4yvDbKgOlSDM1aGzoC5YwUnZBYsiSZkFyQM31jibcIRAEVQQXUApm61wD8Jn8opAJys8ouvCtljoAhVq+U6PCNYxWG4X7w2OA0c8qCmfKxfO1T03P2NQky6i+eEKm1KDzLIz7AXpFyi/L9vDQ5V6HTZq2R0DTJogaEoJTj9b7AeXpIo8mGVFtXU4PW6or3JgMu3UnDwkZs1R8Py7JLorpoUas9cv215rqljq0Z437cyaV3/rjuC6ClE8vT3TqVNqZO2cl8mqqlTRcwwbMaLvaIRZJCV35GoL5lINLGda/2oaCCHtGD0eZHX89wA63XJhjFJ0KHCA4BZslodBrWSMxgwuYSYaoAPE0ERW3wex7cX1k0hRIl1EV03FClkCEAN3og4II2W1663qc0QoagtiVjU/0g4/PnJwCAvw9rHO98TBn6b0urXXr4C8g2+nJRB9XE1uZixwK+LSSqGR9cAMkGk2SSI/sDp5hKFfu0cwqV70i2cAWgfbxbaGN0bc53c+Iy2ulttvkjDaueQIYDun6Kg/C/KL4RNp571xmQCKbPXndsvzDZPbdpP4UIYYyW7M29Wa9okLmsArkumXmswY+CiIsyOxpt/+bDbBkgfNYGvbfVU+bRB37bZ/iWr/Xg6VglhBPZmTj3rRbCnjlNdRo35r6jcCWrz4vZY1WC0s8ErBKKEjHA6F12ol3gM8QtYrGvPp8RNcyuI50a9HnNnubZ9uH9rdPQoY9EZSdbEGRXeVwbYtT0QJ7t/N2OWn56N/MwDPXJP1FbbDwEol3hGokFLuxUZnMYt/mV4/YY+KmKlXPqSZ5nAymy7+odWw6YY/7B16WjM5XvDdBHEtQd6rMgnHa4hHKDF14jAEJ+z0S6ius5ZZhUukgb4wgbugAwIBF6KBswSBsHV+QwLufc6qiJWYluyea4vdwK84AkpO8bJbe9vX50B2zou6oGPEDNxIvQrUKpD5lfNePRfAl6Y/gZN9JIk9k9hLVhuqu+8lO67oeBubrJk5EDeGwcN09XUYxh5bNFAgceUBvSnlaQGh2KfrD3OkWKyW7GP+UIPrCAi/eduj/8TpsNbMqdn9jATvcGM0GYe5mvtmSV+JaqRLAvU0R4q8rdE9BMEk3N9F8lrbBujmrR/T

HTTP/1.1 401 Unauthorized
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=1o11l7boymz89;Path=/
WWW-Authenticate: Negotiate oX8wfaADCgEBoQsGCSqGSIL3EgECAqJpBGdgZQYJKoZIhvcSAQICAwB+VjBUoAMCAQWhAwIBHqQRGA8yMDEwMDYyNTA5NTMxNVqlBQIDBSkOpgMCASmpFBsSSU5FVFNPRlRXQVJFLkxPQ0FMqhMwEaADAgEBoQowCBsGVm9sa2Vy
Transfer-Encoding: chunked
Server: Jetty(6.1.22)

GET /remote HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: vb4:9000
Connection: Keep-Alive
Authorization: Negotiate oYIEgzCCBH+iggR7BIIEd2CCBHMGCSqGSIb3EgECAgEAboIEYjCCBF6gAwIBBaEDAgEOogcDBQAgAAAAo4IDhmGCA4IwggN+oAMCAQWhFBsSSU5FVFNPRlRXQVJFLkxPQ0FMoikwJ6ADAgECoSAwHhsESFRUUBsWdmI0LmluZXRzb2Z0d2FyZS5sb2NhbKOCAzQwggMwoAMCARehAwIBJaKCAyIEggMezj9zDfyP/rdUSJ5KfKa5LWB6mFpIgG/hIcVl8H+0uGM5kmzk7oHcMVXkTPJkm92kGwf5Q32w5ihR4VVOAbfcRmmesn255hY/l/bx9lyfvMao47Lqq6b3zmUN4ohVs7UtKpsNaTpg8xOnGXbwpusRCaVdnHX+vYOZQMh0HoMAYvrzwWToJaUgRPcvUnSCJJvePPhTW1rzddkHXt0gs2yFAM7+GskSmA1Pe3d6i0rJvDFCOMVQeRXWTsFul2ZXtRfIH50xAXl5xhLs32Av4OZayc8EWJzV69PRBxDDjMX6qNW7V2x8ccNjb502/lJd/sRnYPmG7uqbJRhDNJi/+11FcWN+s7FdGZRUKkzbMA9rjdQv6HTqIwbttFeyuBkGngDV892XQNtIlN8opfMbHMM6p4SOS16LrCeiv1696r+a0OQcgW54GXRPkIHg8dME6Av8Uj+hott5YCH3f5QcPtdR/IHhjVx/Pm9EMoEYA8DTWdX+88YOO+2q2kZqRaAD6xIaWchMmqJMLk+Xg554BOEfCD6CG0MF7bJHzypz01QnYoIFHGeMzu7VozP0zTH+dpSJ+XK5Y07KOfikXczrALE3oT0w+yqWJYpd51fbv66cSygJmh78CCW2XwZeXJPke2tSgO28BU1mfvm64Uj1zMXRjXnYHcBEqXXzaI/y3Kt/3ozM8rOUHZ2j1IeFpEH5p5DMVDXJO5S410R5dSBIGKVAEkvzsDkmBNCnMT8FgXJRGORS1NY5jtYdMx4E31RbDpqpP/vzCwqLFzCvp3OEu2KAdXy8cQsdGbRk0X45Api2PvKiHhbuPu7RS+kQ009xmd1tXTEvmwm3JFvppWWOFPKBLnXqL95B2Dl3j33sikYRaFhKZD8SPzTJ/bmRwDmcTr7WSG1arVyUSKWNTH1fKaCOEy9YqCcGbHlVk5Z+ElgApu3vpuo2jNjqHWecC2EGxRfqLQjg/ZZiL6Axgov9a74rQla0RhmPay/ysnZBTj6iR68+vy/FIiqg8Z7x8ra0O87PDAcQRCGWph2XqKnutWX2jhX9ZQCvSOGj8iWmKNuupIG+MIG7oAMCAReigbMEgbBNY+hDl/iVDBkMcteP70jLBmPK9GwOwY1r/O6AVAXqfEMNCZxg29ybAf8x2NLtqyqTgdG7muYBVHOa2lt32hgKCQIQPAEBbpWyAfEbmAOGE4cNfiMZI5MQLfB9ox0pjHP59An+SAbjjXCzPShR6ruhx3Su9gTw5kkWeCH5HeDYY7oKE07rEog50z4zvvKeCCwTpvR4bm+7gFVXttp39scj/DLPSaeWlV+qCQjjt+lZLA==
Cookie: JSESSIONID=1o11l7boymz89

HTTP/1.1 401 Unauthorized
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=1o11l7boymz89;Path=/
WWW-Authenticate: Negotiate oXIwcKADCgEBomkEZ2BlBgkqhkiG9xIBAgIDAH5WMFSgAwIBBaEDAgEepBEYDzIwMTAwNjI1MDk1MzE1WqUFAgMF1O6mAwIBKakUGxJJTkVUU09GVFdBUkUuTE9DQUyqEzARoAMCAQGhCjAIGwZWb2xrZXI=
Transfer-Encoding: chunked
Server: Jetty(6.1.22)

Coordinator
Jun 25, 2010 at 11:17 AM
Edited Jun 25, 2010 at 11:24 AM

Post the waffle debug log please from the server. Is there a Windows error in there?

You missed one thing too. Can you please try running Tomcat on port 80 (stop IIS), and browse to http://vb4 (not http://vb4:8080). It does matter for SPNs!

 

Jun 25, 2010 at 12:48 PM
I have test it on port 80 and it also not work. Here is the log from WAFFLE. There is no error else there is a W32Errors.SEC_I_CONTINUE_NEEDED as return value of Secur32.INSTANCE.AcceptSecurityContext().

25.06.2010 14:44:18 waffle.servlet.NegotiateSecurityFilter init
INFO: [waffle.servlet.NegotiateSecurityFilter] started
25.06.2010 14:44:18 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: null null, contentlength: 0
25.06.2010 14:44:18 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: authorization required
25.06.2010 14:44:18 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: GET /remote, contentlength: -1
25.06.2010 14:44:18 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: security package: Negotiate, connection id: 210.1.164.110:2196
25.06.2010 14:44:18 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: token buffer: 1209 byte(s)
25.06.2010 14:44:18 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: continue token: oX8wfaADCgEBoQsGCSqGSIL3EgECAqJpBGdgZQYJKoZIhvcSAQICAwB+VjBUoAMCAQWhAwIBHqQRGA8yMDEwMDYyNTEyNDQxOFqlBQIDCVhZpgMCASmpFBsSSU5FVFNPRlRXQVJFLkxPQ0FMqhMwEaADAgEBoQowCBsGVm9sa2Vy
25.06.2010 14:44:18 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: continue required: true
25.06.2010 14:44:18 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: GET /remote, contentlength: -1
25.06.2010 14:44:18 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: security package: Negotiate, connection id: 210.1.164.110:2196
25.06.2010 14:44:18 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: token buffer: 1159 byte(s)
25.06.2010 14:44:18 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: continue token: oXIwcKADCgEBomkEZ2BlBgkqhkiG9xIBAgIDAH5WMFSgAwIBBaEDAgEepBEYDzIwMTAwNjI1MTI0NDE4WqUFAgMKSo+mAwIBKakUGxJJTkVUU09GVFdBUkUuTE9DQUyqEzARoAMCAQGhCjAIGwZWb2xrZXI=
25.06.2010 14:44:18 waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: continue required: true


Coordinator
Jun 25, 2010 at 1:47 PM

So it looks like IIS takes the token and says 200 OK, while Waffle says we need to continue to negotiate. Then IE just stops and doesn't send anything back, instead it gives up and pops up a login dialog. Can you please try to run wfetch, lets see why it thinks that the continue token sent back by waffle isn't good enough for it to continue.

Also, dumb question - there's this in the log.

25.06.2010 14:44:18 waffle.servlet.NegotiateSecurityFilter doFilter
INFO: null null, contentlength: 0

Seems like something is hitting the filter without a URL. Maybe it's related - to support NTLM POST waffle does something special and that happens when you have a POST and a content-length of zero. You should also put the filter in DEBUG (see the CHM for how to do that, it's with init-param, ...) for the next round.

Jun 26, 2010 at 8:26 AM
I will test wfetch on Monday if it give some additional information. > INFO: null null, contentlength: 0 This occur only on the first request to send the 401 headers. With the current code of WAFFLE this is not a problem. I can also return "GET" and a URL to prevent NPE. There is also one large difference between IIS and the Jetty server. The IIS run with a system account and the Jetty run with a simple user account. It is a developer environment. Can this be the cause of the problem?
Coordinator
Jun 26, 2010 at 12:26 PM
The account under which the server runs can certainly be the problem. Do try running Jetty as localsystem.
Jun 28, 2010 at 1:43 PM
If I run the Jetty as a windows service under a system account then it work over the network. I see the large tickets. If WAFFLE has not the needed rights for Negotiate then it should be fallback to NTLM and not use Negotiate. Do you have any idea how you can do it? Do you need some additional information?
Coordinator
Jun 28, 2010 at 2:00 PM
Good. Iis and tomcat + waffle are doing the same thing.

In all the traces above the browser makes the decision to use kerberos and the browser also makes the decision not to continue authentication. I dont know of anything waffle could do here. If you think of something, please let me know.


Sent from my Windows® phone.


From: Horcrux7 <notifications@codeplex.com>
Sent: Monday, June 28, 2010 9:43 AM
To: dB. <dblock@dblock.org>
Subject: Re: IE over the network [waffle:216863]

From: Horcrux7

If I run the Jetty as a windows service under a system account then it work over the network. I see the large tickets. If WAFFLE has not the needed rights for Negotiate then it should be fallback to NTLM and not use Negotiate. Do you have any idea how you can do it? Do you need some additional information?
Jun 29, 2010 at 10:32 AM

 After thinking about the problem there are the follow solutions:

1.) An option to disable the Negotiate protocol.

2.) Disable the Negotiate protocol if Java run not as system account. The username of the system account is hostname$

3.) Check the needed rights. If not enough rights then disable Negotiate. For the W3SVC the needed rights are:
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeBackupPrivilege
SeChangeNotifyPrivilege
SeCreateGlobalPrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeIncreaseQuotaPrivilege
SeRestorePrivilege
SeTcbPrivilege

I right SeImpersonatePrivilege sound interesting.

4.) A hack. Because Negotiate with Kerberos does not have a continuous token this can be used to disable the Negotiate protocol.

 

I would prefer the third solution if possible.

 

Coordinator
Jun 30, 2010 at 11:21 AM

I started by the simpler one.

Build 1.3.4677.0 has new options for the filter.

<init-param>
  <param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name> 
  <param-value>
Negotiate
NTLM
</param-value> </init-param>

You can see how it works: just list those protocols that you want out of Negotiate and NTLM. Note this is all case-sensitive.

I also added another option to specify the Basic provider's Realm, which was on my todo list.

<init-param>
  <param-name>waffle.servlet.spi.BasicSecurityFilterProvider/realm</param-name> 
  <param-value>WaffleFilterDemo</param-value> 
</init-param>

Let me know if that works.

More comments on your suggestions.

  1. This is what's implemented here. I still think you should figure out which privilege is missing and grant it instead.
  2. This won't work. There's nothing so special about localsystem except that it has all the rights. Other accounts can be created that are given all the rights.
  3. To check known rights and warn users would certainly be a good approach. Btw, where did you get this list from? I need to do a lot more research on which rights are actually needed - note that it's not just about say 2-3 rights, but a whole bunch of others that might not be directly related to security and authentication. Windows adds new rights with every version, so I am not too excited about tracking that in code, much less to disable a filter based on that.
  4. That wouldn't work. The protocol doesn't say how many rountrips you will need - potentially as many as needed, 1 to many.

 

Coordinator
Jun 30, 2010 at 11:22 AM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.
Jun 30, 2010 at 3:30 PM
I have test the new configuration options and work. I have also test the realm for basic authentication and it work. 3. This list are in the registry of Vista for the W3SVC service as required rights. I have no idea if this will help. The API for security is difficult for me as Java developer.
Coordinator
Jun 30, 2010 at 4:29 PM

Can you please run wfetch and dump its output here? I want to find out why NTLM works and Kerberos doesn't when running as some user and not localsystem. Thx.

Jul 1, 2010 at 6:57 AM
Here are the log output from wfetch 1.4. The behavior is other as the IE. It produce an invalid token and it work not with the IIS.

started....
WWWConnect::Connect("vb4","9000")\n
IP = "210.1.164.213:9000"\n
source port: 1974\r\n
ISC_REQ_MUTUAL_AUTH | ISC_REQ_DELEGATE set\n
SEC_I_CONTINUE_NEEDED\n
REQUEST: **************\n
GET /remote HTTP/1.1\r\n
Host: vb4\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAFAs4OAAAADw==\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 401 Unauthorized\r\n
Expires: Thu, 01 Jan 1970 00:00:00 GMT\r\n
Set-Cookie: JSESSIONID=1kgzfgofw159h;Path=/\r\n
Set-Cookie: JSESSIONID=1kgzfgofw159h;Path=/\r\n
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAGAAYADgAAAAVgoni9jaeaPQObjYAAAAAAAAAALYAtgBQAAAABgByFwAAAA9JAE4ARQBUAFMATwBGAFQAVwBBAFIARQACABgASQBOAEUAVAB
TAE8ARgBUAFcAQQBSAEUAAQAGAFYAQgA0AAQAJABpAG4AZQB0AHMAbwBmAHQAdwBhAHIAZQAuAGwAbwBjAGEAbAADACwAVgBCADQALgBpAG4AZQB0AHMAbwBmAHQAdwBhAHIAZQAuAGwAbwBjAGEAbA
AFACQAaQBuAGUAdABzAG8AZgB0AHcAYQByAGUALgBsAG8AYwBhAGwABwAIAM4N+W7pGMsBAAAAAA==\r\n
Transfer-Encoding: chunked\r\n
Server: Jetty(6.1.22)\r\n
\r\n
REQUEST: **************\n
GET /remote HTTP/1.1\r\n
Host: vb4\r\n
Accept: */*\r\n
Connection: Keep-Alive\r\n
Authorization: Negotiate TlRMTVNTUAADAAAAAQABAFQAAAAAAAAAVQAAAAAAAABIAAAAAAAAAEgAAAAMAAwASAAAABAAEABVAAAAFYqI4gUCzg4AAAAPRABFAEwATAAyADgAAApJboUo9rlWqt
tilsBvQOE=\r\n
\r\n
RESPONSE: **************\n
HTTP/1.1 401 Unauthorized\r\n
Set-Cookie: JSESSIONID=1s04m9nvkoeel;Path=/\r\n
Set-Cookie: JSESSIONID=1s04m9nvkoeel;Path=/\r\n
WWW-Authenticate: Negotiate\r\n
WWW-Authenticate: NTLM\r\n
WWW-Authenticate: Basic realm="i-net Crystal-Clear"\r\n
Content-Type: text/html; charset=iso-8859-1\r\n
Cache-Control: must-revalidate,no-cache,no-store\r\n
Content-Length: 1377\r\n
Connection: close\r\n
Server: Jetty(6.1.22)\r\n
\r\n
<html>\n
<head>\n
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>\n
<title>Error 401 UNAUTHORIZED</title>\n
</head>\n
<body>

HTTP ERROR 401

\n

Problem accessing /remote. Reason:\n

    UNAUTHORIZED


<small>Powered by Jetty://</small>
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n \n </body>\n </html>\n WWWConnect::Close("vb4","9000")\n closed source port: 1974\r\n finished.