Logon Fails when not using - localhost / 127.0.0.1

Jun 23, 2010 at 2:20 PM
Edited Jun 23, 2010 at 2:21 PM
Hello, The negotiation works only when i am trying with http://localhost:8080/waffle-filter/ or when i use http://127.0.01/waffle-filter. It is failing, while used with the actual IP of my machine in the Intranet. When I use the actual IP of the machine, user name & password is prompted. The login never passes, even after entering the right credentials for about 3 to 4 times. I am pasting the logs.
Jun 23, 2010 at 2:22 PM
Can you please throw some light on how to resolve this ?

--------------------------------------------------------------------
successful attempt with localhost
--------------------------------------------------------------------

23-Jun-2010 21:10:59 waffle.apache.NegotiateAuthenticator authenticate
FINE: GET /waffle-filter/, contentlength: -1
23-Jun-2010 21:10:59 waffle.apache.NegotiateAuthenticator authenticate
FINE: authorization: <none>, ntlm post: false
23-Jun-2010 21:10:59 waffle.apache.NegotiateAuthenticator authenticate
FINE: authorization required
23-Jun-2010 21:11:19 waffle.apache.NegotiateAuthenticator authenticate
FINE: GET /waffle-filter/, contentlength: -1
23-Jun-2010 21:11:19 waffle.apache.NegotiateAuthenticator authenticate
FINE: authorization: Negotiate TlRMTVNTUAABAAAAB7IIogQABAA2AAAADgAOACgAAAAFASgKAAAAD1dTTkcxMTAyMTAwMDcwQ1NGQm==, ntlm post: false
23-Jun-2010 21:11:19 waffle.apache.NegotiateAuthenticator authenticate
FINE: security package: Negotiate, connection id: 127.0.0.1:1056
23-Jun-2010 21:11:19 waffle.apache.NegotiateAuthenticator authenticate
FINE: token buffer: 58 byte(s)
23-Jun-2010 21:11:19 waffle.apache.NegotiateAuthenticator authenticate
FINE: continue required: true
23-Jun-2010 21:11:19 waffle.apache.NegotiateAuthenticator authenticate
FINE: continue token: TlRMTVNTUAACAAAACAAIADgAAAAFwominSMgK5/MJxqIlZ4BAAAAALYAtgBAAAAABQEoCgAAAA9DAFMARgBCAAIACABDAFMARgBCAAEAHABXAFMATgBHADEAMQAwADIAMQAwADAAMAA3ADAABAAiAGMAcwBmAGIALgBjAHMALQBnAHIAbwB1AHAALgBjAG8AbQADAEAAdwBzAG4AZwAxADEAMAAyADEAMAAwADAANwAwAC4AYwBzAGYAYgAuAGMAcwAtAGcAcgBvAHUAcAAuAGMAbwBtAAUAGABjAHMALQBnAHIAbwB1AHAALgBjAG8AbQAAAAAA
23-Jun-2010 21:11:19 waffle.apache.NegotiateAuthenticator authenticate
FINE: GET /waffle-filter/, contentlength: -1
23-Jun-2010 21:11:19 waffle.apache.NegotiateAuthenticator authenticate
FINE: authorization: Negotiate TlRMTVNTUAADAAAAAAAAAEgAAAAAAAAASAAAAAAAAABIAAAAAAAAAEgAAAAAAAAASAAAAAAAAABIAAAABcKIogUBKAoAAAAP, ntlm post: false
23-Jun-2010 21:11:19 waffle.apache.NegotiateAuthenticator authenticate
FINE: security package: Negotiate, connection id: 127.0.0.1:1056
23-Jun-2010 21:11:19 waffle.apache.NegotiateAuthenticator authenticate
FINE: token buffer: 72 byte(s)
23-Jun-2010 21:11:19 waffle.apache.NegotiateAuthenticator authenticate
FINE: continue required: false
23-Jun-2010 21:11:19 waffle.apache.NegotiateAuthenticator authenticate
FINE: logged in user: DOMAIN\sshanmu6 (S-1-5-21-606747145-527237240-1606980848-1043672)
23-Jun-2010 21:11:20 waffle.apache.NegotiateAuthenticator authenticate
FINE: roles: BUILTIN\Remote Desktop Users, BUILTIN\Users, < ETC .. ETC ... ETC ... >
23-Jun-2010 21:11:20 waffle.apache.NegotiateAuthenticator authenticate
FINE: session id:D9BDAD30F4427AE9F1029C3586B138AC
23-Jun-2010 21:11:20 waffle.apache.NegotiateAuthenticator authenticate
INFO: successfully logged in user: DOMAIN\sshanmu6

----------------------------------------------------------------------------------------------------------
UNSUCCESSFUL attempts with the actual IP of my machine
----------------------------------------------------------------------------------------------------------

23-Jun-2010 20:58:59 waffle.apache.NegotiateAuthenticator authenticate
FINE: GET /waffle-filter/index.jsp, contentlength: -1
23-Jun-2010 20:58:59 waffle.apache.NegotiateAuthenticator authenticate
FINE: authorization: <none>, ntlm post: false
23-Jun-2010 20:58:59 waffle.apache.NegotiateAuthenticator authenticate
FINE: authorization required
23-Jun-2010 20:59:10 waffle.apache.NegotiateAuthenticator authenticate
FINE: GET /waffle-filter/index.jsp, contentlength: -1
23-Jun-2010 20:59:10 waffle.apache.NegotiateAuthenticator authenticate
FINE: authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==, ntlm post: false
23-Jun-2010 20:59:10 waffle.apache.NegotiateAuthenticator authenticate
FINE: security package: Negotiate, connection id: 167.168.129.13:34842
23-Jun-2010 20:59:10 waffle.apache.NegotiateAuthenticator authenticate
FINE: token buffer: 40 byte(s)
23-Jun-2010 20:59:10 waffle.apache.NegotiateAuthenticator authenticate
FINE: continue required: true
23-Jun-2010 20:59:10 waffle.apache.NegotiateAuthenticator authenticate
FINE: continue token: TlRMTVNTUAACAAAACAAIADgAAAAFgomiaDEOxLHiIhIAAAAAAAAAALYAtgBAAAAABQEoCgAAAA9DAFMARgBCAAIACABDAFMARgBCAAEAHABXAFMATgBHADEAMQAwADIAMQAwADAAMAA3ADAABAAiAGMAcwBmAGIALgBjAHMALQBnAHIAbwB1AHAALgBjAG8AbQADAEAAdwBzAG4AZwAxADEAMAAyADEAMAAwADAANwAwAC4AYwBzAGYAYgAuAGMAcwAtAGcAcgBvAHUAcAAuAGMAbwBtAAUAGABjAHMALQBnAHIAbwB1AHAALgBjAG8AbQAAAAAA
23-Jun-2010 20:59:10 waffle.apache.NegotiateAuthenticator authenticate
FINE: GET /waffle-filter/index.jsp, contentlength: -1
23-Jun-2010 20:59:10 waffle.apache.NegotiateAuthenticator authenticate
FINE: authorization: Negotiate TlRMTVNTUAADAAAAGAAYAJIAAAAYABgAqgAAAB4AHgBIAAAAEAAQAGYAAAAcABwAdgAAAAAAAADCAAAABYKIogUBKAoAAAAPMQA2ADcALgAxADYAOAAuADIAMwA3AC4AMQAxADEAdgByAGEAagBlAG4AZAAxAFcAUwBOAEcAMQAxADAAMgAxADAAMAAwADcAMQB3Ib6C5sGIvgAAAAAAAAAAAAAAAAAAAADQ/7eLSAIt3r/OOFvg4m520lxCQxRVLyU=, ntlm post: false
23-Jun-2010 20:59:10 waffle.apache.NegotiateAuthenticator authenticate
FINE: security package: Negotiate, connection id: 167.168.129.13:34842
23-Jun-2010 20:59:10 waffle.apache.NegotiateAuthenticator authenticate
FINE: token buffer: 194 byte(s)
23-Jun-2010 20:59:10 waffle.apache.NegotiateAuthenticator authenticate
WARNING: error logging in user: The logon attempt failed

Coordinator
Jun 23, 2010 at 2:36 PM

This is most likely security policy related. In the first case you're doing a logon locally, while in the second you're doing a logon from a network. If you're lucky, the windows event log has a more complete error message under Security (especially if you have logon audit setup). So I think there're two possibilities:

  1. The account DOMAIN\sshanmu6 doesn't have the local security privilege to logon from a network (Local Security Policy, Local Policies, User Rights Assignment - check "Deny access to this computer from the network" and "Access this computer from the network").
  2. I have seen this when the account under which your server runs doesn't have sufficient privileges to logon a domain user. This may be because it runs under a domain user's credentials (DOMAIN\someone), changing it to LocalSystem has fixed this problem before for me. There should be a local security policy fix for this as well, but still have to dig it up.

Hope this helps, let us know what you find.

Jun 24, 2010 at 11:21 AM
I am not sure if this is related to  " the local security privilege to logon from a network (Local Security Policy, Local Policies, User Rights Assignment - check "Deny access to this computer from the network" and "Access this computer from the network").  " as you had said.  Coz, I am able to access the application using the physical IP of the box from any other box in the intranet when i dont have the security fileter turned on.

1) Without having the SecurityFilter turned on, 
    I am able to access the application from the same box with  
    a) local host
    b)127.0.0.1
    c) the physical IP of the box.
   d) I am also able to access the application from a different box in the same intranet using the physical ip of box where the application is deployed. 

So, are you still sure if this is to do with the security policy.

2) One thing to note is, when i use 

   a) local host, I see the following in the logs

    23-Jun-2010 21:11:19 waffle.apache.NegotiateAuthenticator authenticate
    FINE: security package: Negotiate, connection id: 127.0.0.1:1056

   b) When I use ip address, I see a different connection id
  
   23-Jun-2010 20:59:10 waffle.apache.NegotiateAuthenticator authenticate
  FINE: security package: Negotiate, connection id: 167.168.129.13:34842
  
   point to be noted is the above displayed IP address is NOT the ip address of the box where the application is deplyoyed ( NOT the one which is being requested in the address bar of IE) .  

This looks strange. What is this connection id, how is this used ? Could this have something to do with this issue ??
 


Coordinator
Jun 24, 2010 at 12:07 PM

I think you should stop guessing :) I am sure. It has nothing to do with network access and everything to do with authentication and security policy. When you access the application (remotely) without the filter, you're accessing it as the user under which the application runs (ie. anonymously). So there's no logon going on.

The connection id is a unique hash key that's used to maintain security tokens across sessions for the same connection. Kerberos and NTLM are connection-oriented protocols, and the system needs several roundtrips, so the key used is the remote IP:port.

Jun 24, 2010 at 1:40 PM
Ok ... I'll stop guessing :)

I need 1 clarification. 
say my sytem ip is X.X.X.X, 
and I am accessing http://X.X.X.X:8080/waffle-filter/     ---- from the same machine X.X.X.X

Then Why am i seeing, X.X.X.Y:port   as the connection id ? should'nt that be X.X.X.X:port ?

Jun 25, 2010 at 11:13 AM
If you use a IP address then the IE show in the statusbar that you are in the internet zone. In this case it use the fall back the basic authentication. NTLM or Negotiate is only used in the intranet zone. If you login with basic authentication then you need to use domain\user instead only user if you use a domain account. This is different to NTLM or Negotiate. I hope this help.
Jun 25, 2010 at 12:00 PM
That is right. When I am using the IP, it is showing "internet" on the status bar. Apologies if my question is naive, Is it possible to make this IP treated as intranet ( This box is basically in the intranet zone )
Coordinator
Jun 25, 2010 at 12:19 PM

Add it to the Intranet zone in your browser.

Internet Explorer

Ensure that Integrated Windows Authentication is enabled.

  1. Choose the Tools, Internet Options menu.
  2. Click the Advanced tab.
  3. Scroll down to Security
  4. Check Enable Integrated Windows Authentication.
  5. Restart the browser.

The target website must be in the Intranet Zone.

  1. Navigate to the website.
  2. Choose the Tools, Internet Options menu.
  3. Click the Local Intranet icon.
  4. Click the Sites button.
  5. Check Autmatically detect intranet network.
  6. For localhost, click Advanced.
  7. Add http://localhost to the list.

Firefox

  1.  
    1. Type about:config in the address bar and hit enter.
    2. Type network.negotiate-auth.trusted-uris in the Filter box.
    3. Put your server name as the value. If you have more than one server, you can enter them all as a comma separated list.
    4. Close the tab.
Coordinator
Jul 1, 2010 at 1:07 AM
sekarmdu wrote:
I need 1 clarification. 
say my sytem ip is X.X.X.X, 
and I am accessing http://X.X.X.X:8080/waffle-filter/     ---- from the same machine X.X.X.X

Then Why am i seeing, X.X.X.Y:port   as the connection id ? should'nt that be X.X.X.X:port ?

 You may want to read this. Also, you may have a multihomed machine, you can have a proxy, etc. This is the IP Tomcat actually sees for your remote host.