Integrated Windows Auth

Jan 17, 2011 at 2:48 PM

Hi,

Integrated Windows Authentication failing..

I have access to the server where tomcat resides.. to ensure that, I have left the tomcat homepage as the default app. So, if I type http://hostname:8080, the tomcat homepage shows up.. so far so good.

When I type http://hostname:8080/Appname which has Waffle enabled, then the credentials box comes up. I also have RDP access to the server, and if I provide my RDP credentials, then it goes thru fine. Providing my n/w creds does not work.


When I am trying this, I am logged into the network via novell. 

I think its a Windows server config issue than a Waffle issue. Looking up docs for Integ Windows Auth, it simply seems that the authentication exchange initially fails to identify the user.
The 'Enable Integrated Windows Authentication' box is checked on the client browser.
Tomcat is not running as a service.

Comments?

Thx,

Shashi

Coordinator
Jan 18, 2011 at 2:30 AM

You should start with Troubleshooting Negotiate. Since you're seeing a popup, this means that SSO failed.

Jan 18, 2011 at 10:42 AM

 

I think I have covered all the bullet points over there..except for starting the server as  'LocalSystem' . The SSO works fine once I provide my RDP credentials.
I am trying to figure out - does the Novell user need to have a local permission on the server as well - as part of a group etc..

Logs from client:

GET /APPName HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: Host: XXX
Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
Location: http://Host: XXX/APPName/
Transfer-Encoding: chunked
Date: Tue, 18 Jan 2011 11:23:32 GMT

GET /APPName/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: Host: XXX
Connection: Keep-Alive

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 19:00:00 EST
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Connection: close
Transfer-Encoding: chunked
Date: Tue, 18 Jan 2011 11:23:32 GMT

GET /APPName/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: Host: XXX
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 19:00:00 EST
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAADgAOADgAAAAFgoqiBIaVdYIY9GMAAAAAAAAAAHQAdABGAAAABQLODgAAAA9XAFQASQAtAFAAMAAyAAIADgBXAFQASQAtAFAAMAAyAAEADgBXAFQASQAtAFAAMAAyAAQAIgBXAFQASQAtAFAAMAAyAC4AVwBUAEkALgBsAG8AYwBhAGwAAwAiAFcAVABJAC0AUAAwADIALgBXAFQASQAuAGwAbwBjAGEAbAAAAAAA
Connection: keep-alive
Transfer-Encoding: chunked
Date: Tue, 18 Jan 2011 11:23:32 GMT

GET /APPName/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: Host: XXX
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHQAAAAYABgAjAAAABAAEABIAAAADAAMAFgAAAAQABAAZAAAAAAAAACkAAAABYKIogUBKAoAAAAPTABFAE4ATwBWAE8ALQAxAFMAaABhAHMAaABpAEwARQBOAE8AVgBPAC0AMQC4/ayyJPzNpwAAAAAAAAAAAAAAAAAAAACh603j1FbAwRr9G6QGLqm+FVwdTmkz1CA=

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 19:00:00 EST
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Connection: close
Transfer-Encoding: chunked
Date: Tue, 18 Jan 2011 11:23:32 GMT

GET /favicon.ico HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: Host: XXX
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"21630-1279569586000"
Last-Modified: Mon, 19 Jul 2010 19:59:46 GMT
Content-Length: 21630
Date: Tue, 18 Jan 2011 11:25:27 GMT

 

SERVER Log:

Jan 18, 2011 6:23:33 AM waffle.apache.NegotiateAuthenticator authenticate
FINE: GET /APPName/, contentlength: -1
Jan 18, 2011 6:23:33 AM waffle.apache.NegotiateAuthenticator authenticate
FINE: authorization: , ntlm post: false
Jan 18, 2011 6:23:33 AM waffle.apache.NegotiateAuthenticator authenticate
FINE: authorization required
Jan 18, 2011 6:23:33 AM waffle.apache.NegotiateAuthenticator authenticate
FINE: GET /APPName/, contentlength: -1
Jan 18, 2011 6:23:33 AM waffle.apache.NegotiateAuthenticator authenticate
FINE: authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKA
AAADw==, ntlm post: false
Jan 18, 2011 6:23:33 AM waffle.apache.NegotiateAuthenticator authenticate
FINE: security package: Negotiate, connection id: XX.XX.XX.XX:XXXX
Jan 18, 2011 6:23:33 AM waffle.apache.NegotiateAuthenticator authenticate
FINE: token buffer: 40 byte(s)
Jan 18, 2011 6:23:33 AM waffle.apache.NegotiateAuthenticator authenticate
FINE: continue required: true
Jan 18, 2011 6:23:33 AM waffle.apache.NegotiateAuthenticator authenticate
FINE: continue token: TlRMTVNTUAACAAAADgAOADgAAAAFgoqiBIaVdYIY9GMAAAAAAAAAAHQAdA
BGAAAABQLODgAAAA9XAFQASQAtAFAAMAAyAAIADgBXAFQASQAtAFAAMAAyAAEADgBXAFQASQAtAFAAMA
AyAAQAIgBXAFQASQAtAFAAMAAyAC4AVwBUAEkALgBsAG8AYwBhAGwAAwAiAFcAVABJAC0AUAAwADIALg
BXAFQASQAuAGwAbwBjAGEAbAAAAAAA
Jan 18, 2011 6:23:33 AM waffle.apache.NegotiateAuthenticator authenticate
FINE: GET /APPName/, contentlength: -1
Jan 18, 2011 6:23:33 AM waffle.apache.NegotiateAuthenticator authenticate
FINE: authorization: Negotiate TlRMTVNTUAADAAAAGAAYAHQAAAAYABgAjAAAABAAEABIAAAAD
AAMAFgAAAAQABAAZAAAAAAAAACkAAAABYKIogUBKAoAAAAPTABFAE4ATwBWAE8ALQAxAFMAaABhAHMAa
ABpAEwARQBOAE8AVgBPAC0AMQC4/ayyJPzNpwAAAAAAAAAAAAAAAAAAAACh603j1FbAwRr9G6QGLqm+F
VwdTmkz1CA=, ntlm post: false
Jan 18, 2011 6:23:33 AM waffle.apache.NegotiateAuthenticator authenticate
FINE: security package: Negotiate, connection id: XX.XX.XX.XX:XXXXJan 18, 2011 6:23:33 AM waffle.apache.NegotiateAuthenticator authenticate
FINE: token buffer: 164 byte(s) Jan 18, 2011 6:23:33 AM waffle.apache.NegotiateAuthenticator authenticate WARNING: error logging in user: The logon attempt failed

 

Thx.

Coordinator
Jan 18, 2011 at 12:00 PM

When you have to type, it's considered a failure. SSO should not ask you for anything. So you get an error on the server "error logging in user: the logon attempt failed". This means that either the user running the server doesn't have enough privileges to logon the client user or the client user isn't on the domain or can't logon remotely.

So you're logged in as user domain\user via Novell? I've never worked with Novell, what does this mean? Is it the same as a domain user? What are "RDP credentials" - are those the same as the novell credentials?

 

Jan 18, 2011 at 12:12 PM

I have Remote Desktop Access (RDP) to the server. I get into the server via RDP and start Tomcat .. This is similar to getting console access.

I log into Novell with my network id. This and RDP creds are different.

I think domain\user via Novell is the same as a domain user, but this would be a very general opinion. I am not aware if there would be any fine distinction..

Thinking further, the Novell user has to be on the domain, if he can reach the server at all.

My a/c has admin rights..

 

Coordinator
Jan 18, 2011 at 12:22 PM

The machine from which SSO doesn't work is on the domain or not? What is the user you logon as to this machine

Jan 18, 2011 at 12:59 PM

The logon m/c is on the network/domain.

 

The uid's are the same. However, when I am doing all of this.. I am behind the firewall. That might be causing the issue..

Coordinator
Jan 18, 2011 at 8:56 PM

This also may be a Kerberos configuration problem. Try disabling Negotiate in waffle (edit in config) - that would force NTLM and could work in all cases.