waffle-filter demo negotiate failing

Apr 21, 2011 at 12:51 AM

When I hit the waffle-filter demo from the localhost using http://localhost:8080/waffle-filter all works well.  When I try it from a different system using the domain name of the host negotiate fails.  I've tried disabling negotiate and using only NTLM which works.  Below is the ieHTTPHeaders output from a single failed request to waffle-filter with Negotiate enabled.  Any suggestions or help would be tremendously appreciated.

Thank you in advace.

James Courtney

 

GET /waffle-filter/ HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Accept-Encoding: gzip, deflate

Host: dev-james.teneo-test.local:8080

Connection: Keep-Alive

HTTP/1.1 401 Unauthorized

Server: Apache-Coyote/1.1

WWW-Authenticate: Basic realm="WaffleFilterDemo"

WWW-Authenticate: Negotiate

WWW-Authenticate: NTLM

Connection: keep-alive

Content-Type: text/html;charset=utf-8

Content-Length: 954

Date: Wed, 20 Apr 2011 23:45:18 GMT

GET /waffle-filter/ HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Accept-Encoding: gzip, deflate

Host: dev-james.teneo-test.local:8080

Connection: Keep-Alive

Authorization: Negotiate YIIFDgYGKwYBBQUCoIIFAjCCBP6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBNQEggTQYIIEzAYJKoZIhvcSAQICAQBuggS7MIIEt6ADAgEFoQMCAQ6iBwMFACAAAACjggPbYYID1zCCA9OgAwIBBaESGxBURU5FTy1URVNULkxPQ0FMoi0wK6ADAgECoSQwIhsESFRUUBsaZGV2LWphbWVzLnRlbmVvLXRlc3QubG9jYWyjggOHMIIDg6ADAgEXoQMCAQKiggN1BIIDcf70wg1ZewQHbyNl153CKT20VpRaE58jgtsugz2LMxGtYp6AHEG/qGgG0/uru7ItFlv3leda+ZD7BuQoZAYu+c29OxC4DmPTFuYKTTvKTbP7BQ1rp+YWg9NPtIheL7mEukZLY4KuLvlyOESWeTUIHhQQ/UIOs1c/rhTz6fuBoAilzfp2E9s7hN2YhQIauoHSGDWDKebP60KfJgiVGj9mWROlyVG/4e2wsxuFbIeegRwchMyk/may2+tIAVjI89SULL85xvwUCJ2yQeUC8ztsIr7eAqElfN2X8OeMgnmnkA+s5xudXFFNW2yd0CHzrMYgukqQ4tj7MIe7/ofE5yJ5cDlykZwT/2TsAjaUtWrvyV+3p7k8pKp7FsAEDjQrt+rw+eBcposmpneQjwhmWqsQacJzPCXgqjR3FisrXnodZ8HfKWoNYaKSmdQXCsk/OpjzrTOx32SCVUGf7k5Fceo4mRgDo6kzLUs2xG1nKgHRmuU+7kdrnykOjyoBPWsAC90clUVHEe5QaYLcuZoP037I1rTZKkPuFR2nuQq2Gk+E9ncXikjAo9I7Fpcc0Sf6cunkJ+T9bVSo9heq5JcUhuk9E/cSe1cuJPVVDNGTATGv+PL/XuDj3kyQGCb581YmZExVP0PE8pHgDNia64Qck7NQ3e9VctBAAIJBL+IfExNooHSLpWNeGly9W4ehqANyEHpWmxmgevV5iudwlfRaVdyED6AIFOGEGEo2rUv3RD0+VueUXZ6kJZyvwvoC8AXJqxE5fWCOBjpEaV+Qd4F+a+8+M/1VjUVCcdm+95AXNbFuNaruW/VMhaz/T0LqG0B9/mRyfVeKovY1psnhENYApUqSktDIvxyVAk5pdPqhS0YLtiquvGMaKPzaGsLLXncCoACsEiqD6rmMSo3i6ULV08zHb35MPO0up2off3hqEEn/+mymK9WcoABl3+Dh2dU9PYmsIHJpYbZ15wc90bOXTiLMuZ4qmVdiLaoxK8y2EPBJkCfiUA6zLRSnZzQBxtw5X37Arq6Km714DwTD9Ls3Q20xk5Mv9sFNFVITLVMnbbR/Sp6U4C2iEt/zjgcpJ04dECPHT3FHh7WqPJk4skCzLmHNSqloIzHL0wCHiqQctZNbL5XMDKOxdlv3lD8y2p4r9/oH4uW+wNmPMlHBdKm/1ZUPLlmFpIHCMIG/oAMCAReigbcEgbTE7Yq4s2+urKtl2FWqIix0vO2ZBKAdhInzm3pEK1d/LJlnXrwItFmKFc1O/JxWlDYoldK183A61bct4JsKzzWcDl56Vqg1NLeoRFZpWxfJl8R15Jkt37oEY0UIfy7faGZ/CTu1YuMAETLgIvZ+xU+Nm2WeSQP44c6afzvpq/jeWUhYsWnpGP5vr9OlE93bnQRKjB0Lebt2zwvVLCuARGFEv8+TAaRUHx/3ZXy7EqVNntyp64g=

HTTP/1.1 401 Unauthorized

Server: Apache-Coyote/1.1

WWW-Authenticate: Negotiate oX8wfaADCgEBoQsGCSqGSIL3EgECAqJpBGdgZQYJKoZIhvcSAQICAwB+VjBUoAMCAQWhAwIBHqQRGA8yMDExMDQyMDIzNDUxOFqlBQIDC9ePpgMCASmpEhsQVEVORU8tVEVTVC5MT0NBTKoVMBOgAwIBAaEMMAobCEVzYWFkbWlu

Connection: keep-alive

Transfer-Encoding: chunked

Date: Wed, 20 Apr 2011 23:45:18 GMT

GET /waffle-filter/ HTTP/1.1

Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept-Language: en-us

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Accept-Encoding: gzip, deflate

Host: dev-james.teneo-test.local:8080

Connection: Keep-Alive

Authorization: Negotiate oYIE3DCCBNiiggTUBIIE0GCCBMwGCSqGSIb3EgECAgEAboIEuzCCBLegAwIBBaEDAgEOogcDBQAgAAAAo4ID22GCA9cwggPToAMCAQWhEhsQVEVORU8tVEVTVC5MT0NBTKItMCugAwIBAqEkMCIbBEhUVFAbGmRldi1qYW1lcy50ZW5lby10ZXN0LmxvY2Fso4IDhzCCA4OgAwIBF6EDAgECooIDdQSCA3HDZ2pYOrPmZkB1Rlkkt353IsfzDjYGdDKepak3uV+u8kbJ2IgzrEF948gixRiCDwmXm2yYn8Oazi/PCTHAU0bh4PcRrH9WgIuhuwKL5grrPMVtbwGJ0g0yiAm5mJoN0htCqWnjgetjb0vPfcM3LHA7OBf2MPckTsFTY9w9o9NW3V1F9SIcV7ARnB0vm6KPyzqCuXCGkW/LYpAOxlDgHqQAPK0Xhy9sS5WAQAgkDu43uOr89U8fDZCLkW/Ce/piuYmLyAk8NKaQIMOLnra8y+K/1geGH8tLH4i6OQxfyVpkskqBAlS7Ngw0AFqM0b+S5XE+A3uZwTEixgiHf9ETyEHUPDRs0rBx39FkkhLyQc128PczjA9QHKmN4NuF363+faF6vxOpM/JDXQwQxyJocUtHwccZiwaNYont8JSMQMTDnAVvlixDe8wZLVLAyueOC2hZbmvQIp3UWLq/wcQd3y8+mQGPd09e4M0fZSg1vJFUMP9QETTWV5fsnV+ICLt5XoRp0d1MGJL3aEdH/pUr1KpaQJANBFeLa9451UD3cFEyiSC1pk0tyaBmAzQ3TTTQQhH1K47gtRf5CpJoae5M5Ih3/39pK5+Lr7ToO9rZhHswZQ5unhj8sU0EhDXMmRxAEWcXZBmP/CWj4xpFrlWcCtxqEpQjf2QxR4a0YZf+KCWGiRLKBzr92FYQ/+cRmwgIgvBLgU1e2BW0QOLBGiNld+V8mM/18nCjzewmACDnr0Hva5dxK/gqQis/eTJ8cSjjio83lM4cuIBGVD4A1ZVOqRDmQmjGGQc71Fz0LklK26/45k8TANRgwbT+R9bjKLyuAhi90zh30x2/Jv4Mvh9lEDPjiL2UbIrx/p+w7AtcC1NJH+0GmVoczRuUFZi+JzzYLIPbbFy5vzf6Lk5ffl+qP3JZg/9ys0FfaNrg4ALtB0pIxTGJ4VTTgheHVbzWUu8CEqP1+FepqrcKDg5K1usN+dyYNmC65eDAeqH5z2AkC8p01NPl7jyY7zIrFiYqg+2+tUM8/OdhiJWaGQkiKFDq/cX3SX1sDg/Oo+QtiNZ8yiYPQANoAMmWZ1Wex6pybf3vARg6uu3ebAwO85WiHJaXl4Gu80tZz+zxzJDbvOElSO7Fs97Vy8Oqgl4BQk1a8xx0Ld7hNyGL7aCkwepGSqbIrgDkxqSBwjCBv6ADAgEXooG3BIG0RT/bmiIlvCousBg6iMHYm5JkP4v7Pkl6xw9d0henWG22YTeKMRlIzkS0sE71eG4c1QkT9/oUayV7cb01EASCvJMl8SjrO/Lma/4tY9jn7e8kjQjtnUXMLOu8B0iDkO/9XRPEDmWgzfejLjt+raR3cNDMMhye2dT/88tdTYeBO73L/Ye8sSfuu4VO0qhl13IFsfimUOL/Izd6b5VrzppMhiVZa0XalW8Wzv/9bC/jU55+tswO

HTTP/1.1 401 Unauthorized

Server: Apache-Coyote/1.1

WWW-Authenticate: Negotiate oXIwcKADCgEBomkEZ2BlBgkqhkiG9xIBAgIDAH5WMFSgAwIBBaEDAgEepBEYDzIwMTEwNDIwMjM0NTE4WqUFAgML14+mAwIBKakSGxBURU5FTy1URVNULkxPQ0FMqhUwE6ADAgEBoQwwChsIRXNhYWRtaW4=

Connection: keep-alive

Transfer-Encoding: chunked

Date: Wed, 20 Apr 2011 23:45:18 GMT

Apr 21, 2011 at 12:54 AM

FWIW Tomcat output for the negotiation was as follows (Using Tomcat 6.0.32).

 

Apr 20, 2011 4:54:33 PM waffle.servlet.NegotiateSecurityFilter doFilter
INFO: GET /waffle-filter/, contentlength: -1
Apr 20, 2011 4:54:33 PM waffle.servlet.NegotiateSecurityFilter doFilter
INFO: authorization required
Apr 20, 2011 4:54:33 PM waffle.servlet.NegotiateSecurityFilter doFilter
INFO: GET /waffle-filter/, contentlength: -1
Apr 20, 2011 4:54:33 PM waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: security package: Negotiate, connection id: 192.168.222.101:4717
Apr 20, 2011 4:54:33 PM waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: token buffer: 1298 byte(s)
Apr 20, 2011 4:54:33 PM waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: continue token: oX8wfaADCgEBoQsGCSqGSIL3EgECAqJpBGdgZQYJKoZIhvcSAQICAwB+VjBUoAMCAQWhAwIBHqQRGA8yMDExMDQyMDIzNTQzM1qlBQIDCRiNpgMCASmpEhsQVEVORU8tVEVTVC5MT0NBTKoVMBOgAwIBAaEMMAobCEVzYWFkbWlu
Apr 20, 2011 4:54:33 PM waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: continue required: true
Apr 20, 2011 4:54:33 PM waffle.servlet.NegotiateSecurityFilter doFilter
INFO: GET /waffle-filter/, contentlength: -1
Apr 20, 2011 4:54:33 PM waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: security package: Negotiate, connection id: 192.168.222.101:4717
Apr 20, 2011 4:54:33 PM waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: token buffer: 1248 byte(s)
Apr 20, 2011 4:54:33 PM waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: continue token: oXIwcKADCgEBomkEZ2BlBgkqhkiG9xIBAgIDAH5WMFSgAwIBBaEDAgEepBEYDzIwMTEwNDIwMjM1NDMzWqUFAgMJVX2mAwIBKakSGxBURU5FTy1URVNULkxPQ0FMqhUwE6ADAgEBoQwwChsIRXNhYWRtaW4=
Apr 20, 2011 4:54:33 PM waffle.servlet.spi.NegotiateSecurityFilterProvider doFilter
INFO: continue required: true

Coordinator
Apr 23, 2011 at 11:02 PM

The authentication terminates on the client. You probably have a Kerberos setup problem, such as a missing SPN.

These should help, but don't expect it to be easy. Post what you find here.

Troubleshooting Kerberos

Troubleshooting NTLM

May 13, 2011 at 10:39 PM

Okay, finally had time to come back to this:)

Yep, it was an SPN issue.  I needed to create an SPN for the user under which tomcat was running:

> setspn -A HTTP/<server-fqdn> <user_tomcat_running_under>

What would be the behavior if I were to run Tomcat NOT under a domain user account (like local Administrator or local System) and thus not under an account for which an SPN could be published to the Active Directory?

My SPN savvy is minimal as probably made apparent by my fumbling and preceeding question(s):)

Thanks!

James Courtney

Coordinator
Jan 26, 2012 at 8:50 PM

When you run as local system you act on behalf of the machine with Active Directory. So you do need an SPN, but for the machine account. I am a bit guessing here, someone would be nice to confirm that it actually works.