ERRORs in remote authentication

Feb 7, 2011 at 12:27 PM

Hello,

We are trying to run waffle-filter with Tomcat 6.0. When we try to log in from localhost there is no problems, but when trying to get a remote access begin the problems.

In IExplorer: we only are able to access when check-out Integrated Windows Authentication in the browser optiones

In Firefox: we only are able to access entering the credentials (from localhost we have to enter the credentials too)

In Chrome: an error 338 (net: ERR_INVALID_AUTH_CREDENTIALS) appears.

Any ideas to solve this?

 

Thanks in advance.

Coordinator
Feb 7, 2011 at 12:29 PM

Pick one of the filing scenarios and start here: Troubleshooting Negotiate.

Generally, when you see a popup, you're not doing SSO or SSO is failing.

Feb 7, 2011 at 1:50 PM

Thanks, as I can see, the correct configuration is using NTLM, so I put only this param in web.xml and now it works.

Here is the header log for IExplorer with Integrated Windows Authentication checked:


GET /waffle-filter/ HTTP/1.1Accept: */*Accept-Language: esUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)Accept-Encoding: gzip, deflateHost: pcmptc:8081Connection: Keep-Alive

HTTP/1.1 401 No AutorizadoServer: Apache-Coyote/1.1WWW-Authenticate: Basic realm="WaffleFilterDemo"WWW-Authenticate: NegotiateWWW-Authenticate: NTLMConnection: keep-aliveContent-Type: text/html;charset=utf-8Content-Length: 969Date: Mon, 07 Feb 2011 13:22:05 GMT

GET /waffle-filter/ HTTP/1.1Accept: */*Accept-Language: esUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)Accept-Encoding: gzip, deflateHost: pcmptc:8081Connection: Keep-AliveAuthorization: Negotiate YIIFgQYGKwYBBQUCoIIFdTCCBXGgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBUcEggVDYIIFPwYJKoZIhvcSAQICAQBuggUuMIIFKqADAgEFoQMCAQ6iBwMFACAAAACjggRSYYIETjCCBEqgAwIBBaEIGwZHTVYuRVOiIDAeoAMCAQKhFzAVGwRIVFRQGw1wY21wdGMuZ212LmVzo4IEFTCCBBGgAwIBF6EDAgETooIEAwSCA/8LxmSbsFo41KUM0Cm8eM+DzMs1+ktnwkNHYmO8a4artjRYm8TWZ9qd0hQjg3mGrlw1kggKS2rC6fyJHu4v5WGTVwmEeuSN4JOVRMJW5UEw3+UCW2guoeu13wjkGWPzWHvPfueYej/5JpqzJ66uWhaY5CflpfpSxc4K6/ybesNtOTTLyjOAn5D5M1G7SNS6R8r80I3LSL6ENqcPJvL14VFLyhsD2kkiT8JUND4ld4DQJiGBcxpk3ZoPhiQpLvxI5/KPUvvNBOgy2zXydmJj8Dj6Mt9yfczM8O7QpXXxilfCXVkIMt9FJSLqKuzq7zTSWJnZ6t8myEPC+/I45qqFKhwkGvy1Tq/x8ZVOTW9IMhCoD78tCfczvUXhtqj7sKjQ/XAkkEflxypUXdaUsOvSPocBiV/qbgBvvx1oQo/cy5D7y8Zs3v1yUJcFnjkbigc+XsLuIBFZ6Om+STROSgLoAyFrOzwsQaAfgC/XDhR9p9aQ+62YYqShZhXyi/4obYgj6mMtIsBHByL0XlwL0OeEvMiMzcvrQvL1As3M9asI47YUC/vzjMINdJTycFPnENyazdrfrdRYIj2DmYRrqTSkWAbnPK2hAtArI1QZeu/nJzuQqoHnb5RvsyOa2HGHckYQisqycuNF7+RzQG77s5/97HKkwsmlQG7i7HFXP0CnV3ldsofysJTg2rpHUquVMuhL+s0sghEggQpifOK09kcgR3wPeGHtCGSafIeG624lMZs4PsNPx2RLBFiyyL9WktdZKDnY/goG0TvkNaNpfMIIJqYHo5bB/ZlW/ISCVA1iYrMkadg1INJ6QjHWQM8AZDsPm4ib04sfLwtvSrvwoVH3tSw9teUuWu5MTZWL8niAityeLJ88PBkgCHALPMTAhZxZDdUfh1hO6gEgykem+CMy2AGWU9WdY3c9rsXn0cu2zDerpDJuatRRPFyGdgTQtn38aAoukOpwhcgKmvw+266CAXYAharhDu5benASIPg9yGXwKJAc3q+v94T8jbMaR2Yzj9HAxl9VaK6LywcQ72eg7XYgWXNqXa6XOTuZve93hDSWVSQJiJuNfFKZJQ7B9OeDif6MlvwIZm+jeR2behRUXHviKOn+HxkEy4ssfMrxWZ4gdQgBujLgTfDRDexniREwk3FE/gxz/OWBPxB9ppMMsJd7sL8XyIdTB2L6Sl7pbvCyRj9oLS4pzw7owgBaIviOKcEqigxi2Rjq2Pfv1XDYjQA1dYxOslBT/3d2RNGash4Z5zmvnbYa2USVUt8JM6Xu3T9CJWDRPzrY/bmRCXltINrOLYcj37y0mPNWIqiv4mzfKlEHPMzQe4zf19RvATHdTibHIKhrpAFy3lRMah14KEekgb4wgbugAwIBF6KBswSBsALGCYV/vplJCbWiPs/orueNPXw01qspg5EK9O3FSDlOJv5HAm5ImlxUdC92jk2k5/nKZa8hKxoc6hzSf29GujHzOGGztK4i4RVeWW8sWdOauDTaeUYLB0DmpEBE2WQC4K51jnFc9XsliWL44ZGIJkx0/LzKld42+xQRwjJ10kLSgreyOArpqb317L8MV2G30O7xazrJ3yaQkyZJTPToFTDMIENo/WsD48fSuNuexGxo

HTTP/1.1 401 No AutorizadoServer: Apache-Coyote/1.1WWW-Authenticate: Negotiate oXQwcqADCgEBoQsGCSqGSIL3EgECAqJeBFxgWgYJKoZIhvcSAQICAwB+SzBJoAMCAQWhAwIBHqQRGA8yMDExMDIwNzEzMjIwNVqlBQIDBo8GpgMCASmpCBsGR01WLkVTqhQwEqADAgEBoQswCRsHUENNUFRDJA==Connection: keep-aliveTransfer-Encoding: chunkedDate: Mon, 07 Feb 2011 13:22:05 GMT

GET /waffle-filter/ HTTP/1.1Accept: */*Accept-Language: esUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)Accept-Encoding: gzip, deflateHost: pcmptc:8081Connection: Keep-AliveAuthorization: Negotiate oYIFTzCCBUuiggVHBIIFQ2CCBT8GCSqGSIb3EgECAgEAboIFLjCCBSqgAwIBBaEDAgEOogcDBQAgAAAAo4IEUmGCBE4wggRKoAMCAQWhCBsGR01WLkVToiAwHqADAgECoRcwFRsESFRUUBsNcGNtcHRjLmdtdi5lc6OCBBUwggQRoAMCARehAwIBE6KCBAMEggP/bPoYdQZ+iNpCo5achxWzDFORMIfLoFcPLZuQcHxvTN8uw6yiOnAjYJp89FOFXaDxEbuIuT2Eh2vCg3K6rWsvUQtLJ0Lia4rTOme0b6R0+Sppho1bQJvYnMozwmZQqkdVmc55apu2UCje+vViA2AbKSBDvqvulqfmiRa7Cy3Z0jJUo1FyBaPVU71W9ZA0SS+TXrginvlrGoZhrsi/+q9XVpe9bJugRHohjIxslumimn+iKCjkDGG+XTuCGBCGQOzzFFOY5E9tOuZeb/XanADxHTkiJftupLyKSt3HmS6Q3JzseaHTN9FTkLxltMJYASSM7truTRD7iRiTcqLvjurv1SCaTEA7PtqA/aRYfgZuJjnOS28WwnO4k66dfyeAhYu5GqHmg7/R6MRK+UaTUGROCUQfyf/g4XZiKRotj6LXAbVfObMZGZZxsX2kCsP3Ckg3f9NfWRGrzHRZy/uJ4KHAiJvwxnrdoTGMoVtL+9/lal+e0wU1+V4aSOrZeDK/gSQoock7udEvnnIy7tJUYuezvXYP/vvZfoTT9C9wwTJ6piRmByAmgDnOcUbsCIW5cnbr0TU76+PzPoyO0TbYDLQ3eVOYMaTpZlFvzXVncWltzTeCCvTFa4g4+x0FV9QIjXtDAzGWvc0pe1irwqxgFoIvL8kJTl8VZqIdpKB7tmaEISJXloMghUuNUGSVV7ulORDaZPuCxC9vOGI0sKT2hSzsVdKkqTvP8LDGP5kBTdattloRMIA4w2xXGPNWgv5c8eKUZ/0tdjO8OBj97KJ3lSIp0xpUJp9MpyDJzmJ/JHvOvj+q3WlSQaVzpxA3GDK/RrnzovpxMJtAO3tH9Be5cOFatO8RWQXf7p7OLtQoff7HRyaP7DH44tU1RNXojZrm20oV4GP9NFl4FVbqAmudnJU9rvyJxffzyKO8fdsqEN2VpsRWwhkm99XKO9onap5Zi60IelI8QZ8pQet102l5DaJWYc1k45Kz3T10dR37Qsg/OUObQLSNaXfyPCacSWfslisl3mfvRxL9Wkv9pwHqy/0ecyZA1XxmK7LCY+DxsnvtoJpmi0sjfFiQHv2iS1dsSc9WCLl9eqL3+NIz3cjZQbF2Z4c8n1ehwS6659kObadIU4MqwrRnbal3ZsoHA80+HLFmutxpCwvG+DdUf8EPvM/C+jQGtqcEuzorJ12Z2XfOSducEFrLLzmbiKgZEieim+PcuHnT4TggvMxc+LGO5WyFzAbpRTLZPl67IfKC66wf0P+PjiGMtND3WQ0AAonqH8Lemqe17Uf3RP2aoi4cccC2jTNQTNNo1pZ1VjJj4011kFd/a3U4v+Z60167fsixzPfDYRsldORT/8OSKYa5KgsGpIG+MIG7oAMCAReigbMEgbC8CZvWFKjKYlSl6CNXnsntXdYG0dn/BLzonFm2tv06k8rpbmX/VJskso/Qfii5u8pAEJNFUcR7L7bTwGWT4Ss73gw66jDw845KQDy/xaiLSSmTGCxmxABU/MAMuP1zA71MHrow/XcOyQyzYT4b28P86pMwMxB/Hk0HD7RMZEg7ylsUMR3Xh6rblmeRDuym81nLZUg/vD8XqEyhLc+uxAM689kSfagTAti9mxFUUzz/Qg==

HTTP/1.1 401 No AutorizadoServer: Apache-Coyote/1.1WWW-Authenticate: Negotiate oWcwZaADCgEBol4EXGBaBgkqhkiG9xIBAgIDAH5LMEmgAwIBBaEDAgEepBEYDzIwMTEwMjA3MTMyMjA1WqUFAgMGy/6mAwIBKakIGwZHTVYuRVOqFDASoAMCAQGhCzAJGwdQQ01QVEMkConnection: keep-aliveTransfer-Encoding: chunkedDate: Mon, 07 Feb 2011 13:22:05 GMT

Here is the header log for IExplorer with Integrated Windows Authentication NOT checked (correct login):

GET /waffle-filter/ HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*Accept-Language: esUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)Accept-Encoding: gzip, deflateHost: pcmptc:8081Connection: Keep-Alive

HTTP/1.1 401 No AutorizadoServer: Apache-Coyote/1.1WWW-Authenticate: Basic realm="WaffleFilterDemo"WWW-Authenticate: NegotiateWWW-Authenticate: NTLMConnection: keep-aliveContent-Type: text/html;charset=utf-8Content-Length: 969Date: Mon, 07 Feb 2011 13:30:20 GMT

GET /waffle-filter/ HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*Accept-Language: esUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)Accept-Encoding: gzip, deflateHost: pcmptc:8081Connection: Keep-AliveAuthorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw==

HTTP/1.1 401 No AutorizadoServer: Apache-Coyote/1.1WWW-Authenticate: NTLM TlRMTVNTUAACAAAAEAAQADgAAAAFgomix0LPKnMmoFoAAAAAAAAAAGYAZgBIAAAABQEoCgAAAA9HAFIAVQBQAE8ARwBNAFYAAgAQAEcAUgBVAFAATwBHAE0AVgABAAwAUABDAE0AUABUAEMABAAMAGcAbQB2AC4AZQBzAAMAGgBwAGMAbQBwAHQAYwAuAGcAbQB2AC4AZQBzAAUADABnAG0AdgAuAGUAcwAAAAAAConnection: keep-aliveTransfer-Encoding: chunkedDate: Mon, 07 Feb 2011 13:30:20 GMT

GET /waffle-filter/ HTTP/1.1Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*Accept-Language: esUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)Accept-Encoding: gzip, deflateHost: pcmptc:8081Connection: Keep-AliveAuthorization: NTLM TlRMTVNTUAADAAAAGAAYAI4AAAAYABgApgAAABAAEABIAAAAIAAgAFgAAAAWABYAeAAAAAAAAAC+AAAABYKIogUBKAoAAAAPRwBSAFUAUABPAEcATQBWAG8AcABlAHIAYQBkAG8AcgBfAHMAZwBpAF8AYgBvAGMAUABPAFIAUwBHAEkAQgBPAEMAMAAzAIgYSFZUp27CAAAAAAAAAAAAAAAAAAAAALehuZY9cl+62iqvv7ovWhZo8y9dGro5+w==HTTP/1.1 200 OKServer: Apache-Coyote/1.1Set-Cookie: JSESSIONID=8BF97CCE39D97703B4D5F18B575C36F7; Path=/waffle-filterContent-Type: text/htmlContent-Length: 1528Date: Mon, 07 Feb 2011 13:30:20 GMT

GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)Host: pcmptc:8081Connection: Keep-Alive

HTTP/1.1 200 OKServer: Apache-Coyote/1.1Accept-Ranges: bytesETag: W/"21630-1294678410000"Last-Modified: Mon, 10 Jan 2011 16:53:30 GMTContent-Length: 21630Date: Mon, 07 Feb 2011 13:30:20 GMT

Coordinator
Feb 7, 2011 at 5:16 PM

The first one does Kerberos, the second NTLM. So looks like Kerberos isn't working. Read those troubleshooting negotiate articles (your SPN is probably wrong).