Logon failed 401

May 31, 2011 at 5:51 PM

Here is a summary of my login issues.

1. In all cases, Firefox will log me on successfully.

2. In IE, I can always log on when Tomcat is running as a service under local system.

3. In IE, when Tomcat is running as a service under a domain user account, I can only log in when I change the waffle configuration to use NTLM first.

The error I get when using a default waffle configuration (attempts to use Negotiate first, then NTLM), and tomcat running as domain user account:

-IE prompts me for credentials and I get the following log repeatedly (once per login attempt):

13:24:03,857  INFO NegotiateSecurityFilter:? - GET mysite.html, contentlength: -1
13:24:03,857  INFO NegotiateSecurityFilterProvider:? - security package: Negotiate, connection id: 0:0:0:0:0:0:0:1:50772
13:24:03,857  INFO NegotiateSecurityFilterProvider:? - token buffer: 40 byte(s)
13:24:03,857  INFO NegotiateSecurityFilterProvider:? - continue token: sometokenwashere...=
13:24:03,857  INFO NegotiateSecurityFilterProvider:? - continue required: true
13:24:03,857  INFO NegotiateSecurityFilter:? - GET mysite.html, contentlength: -1
13:24:03,857  INFO NegotiateSecurityFilterProvider:? - security package: Negotiate, connection id: 0:0:0:0:0:0:0:1:50772
13:24:03,857  INFO NegotiateSecurityFilterProvider:? - token buffer: 190 byte(s)
13:24:03,857  WARN NegotiateSecurityFilter:? - error logging in user: The logon attempt failed

 

I did not think that this issue fit under a previous SPN FAQ because Kerberos is not on my system. The SPN issue as mentioned dealt with Kerberos. I'm also afraid of changing the SPN unless absolutely necessary given it deals with AD. I've read through the .chm file for the Spring Security Negotiate filter (the one I'm using) as well as FAQs, but perhaps I misunderstood information.

Coordinator
May 31, 2011 at 8:07 PM

I think this is an SPN problem. The logon fails because it isn't matching the server name, think of this as a key user somewhere in Kerberos - if they don't match decryption fails. Of course you could enable kerberos logging and try to get something better out of it than a guess.

Troubleshooting Kerberos