Remote user "null"

Jul 12, 2011 at 12:34 PM

Hello forum, esp. dblock,

my problem is a bit strange, it seems that the authentication via negotiate and also via NTLM works perfect, but in the examples the remote user is always "null".

Can anyone give me a hint?

Regards

Christian

Coordinator
Jul 12, 2011 at 3:23 PM

I've never seen this - you will need the logs, at least and then some debugging. Waffle is getting the SID of the user nomatter what, so even if it fails to resolve a username, it would keep the sid. Post the debug log output here.

Jul 13, 2011 at 12:29 PM
Edited Jul 13, 2011 at 2:57 PM

What I try to do is to integrate WAFFLE into a Confluence installation, which uses Velocity instead of JSPs. Maybe this is sth. which will not work.
In the logs it says, that the user is logged in (although it is the local user, who started the server?!).

I guess one big problem is, that there are several things mixed up in the installation... (I also found some seraph-authentication-config-lines? in
the web.xml).

The lines from the log are:

13.07.2011 09:55:19 org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8090
13.07.2011 09:55:20 org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 23502 ms
13.07.2011 09:55:22 org.apache.catalina.core.StandardService start
INFO: Starting service Tomcat-Standalone
13.07.2011 09:55:22 org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.14
13.07.2011 09:55:46 waffle.apache.MixedAuthenticator start
INFO: [waffle.apache.MixedAuthenticator] started

And

13.07.2011 11:14:33 waffle.apache.MixedAuthenticator negotiate
INFO: successfully logged in user: TOMCAT\Administrator

Where TOMCAT\Administrator is the user who starts the service, but not the remote user...

I know it is hard to say sth. on these issues, when you don't know the system, so any tip for further debugging or other insights/links are very very welcome...

(I am a bit between confused and frustrated at the moment...)

 

Regards

Christian

 

[EDIT]

The "null" error is corrected, now. It was the additional seraph authenticator which needed to be eliminated.... But stiöö it shows the local user of the server, but not the remote user?! Any thoughts?

Coordinator
Jul 13, 2011 at 3:19 PM

I am going to guess that there was no proper challenge-response here. Post the client/server HTTP conversation (IEHttpHeaders should do it) next.

Jul 13, 2011 at 3:30 PM

Hm. Maybe the sequence of authenticators?

 

GET /SSO-Samples/waffle-filter/index.jsp HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, */*
Accept-Language: de-CH
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C)
Accept-Encoding: gzip, deflate
Host: dev.intranet.com:8090
Connection: Keep-Alive
Cookie: country="IT"; _pk_id.1.5754=aca9ea31b4379419.1310049479.21.1310565115.1310560777; _pk_ses.1.5754=*; L=D

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Basic realm="WaffleFilterDemo"
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Connection: keep-alive
WWW-Authenticate: OAuth realm="http%3A%2F%2Fdev.intranet.com"
Content-Type: text/html;charset=utf-8
Content-Length: 954
Date: Wed, 13 Jul 2011 13:53:39 GMT

GET /SSO-Samples/waffle-filter/index.jsp HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, */*
Accept-Language: de-CH
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C)
Accept-Encoding: gzip, deflate
Host: dev.intranet.com:8090
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
Cookie: country="IT"; _pk_id.1.5754=aca9ea31b4379419.1310049479.21.1310565115.1310560777; _pk_ses.1.5754=*; L=D

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAADAAMADgAAAAVgonibMM7oQh7Vx0AAAAAAAAAAIAAgABEAAAABQLODgAAAA9OAEEATQBJAEMAUwACAAwATgBBAE0ASQBDAFMAAQAMAEQATwBUAE4ARQBUAAQAFgBuAGEAbQBpAGMAcwAuAGgAbwBtAGUAAwAkAGQAbwB0AG4AZQB0AC4AbgBhAG0AaQBjAHMALgBoAG8AbQBlAAUAFgBuAGEAbQBpAGMAcwAuAGgAbwBtAGUAAAAAAA==
Connection: keep-alive
WWW-Authenticate: OAuth realm="http%3A%2F%2Fdev.intranet.com"
Transfer-Encoding: chunked
Date: Wed, 13 Jul 2011 13:53:43 GMT

GET /SSO-Samples/waffle-filter/index.jsp HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, */*
Accept-Language: de-CH
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C)
Accept-Encoding: gzip, deflate
Host: dev.intranet.com:8090
Connection: Keep-Alive
Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAI4AAAA8ATwBpgAAAAwADABYAAAAGgAaAGQAAAAQABAAfgAAABAAEADiAQAAFYKI4gYBsR0AAAAPjEOPnsGlyXH0WCW8y+q0m0QATwBUAE4ARQBUAEEAZABtAGkAbgBpAHMAdAByAGEAdABvAHIAQwBDAFIAUwBDAEgAMAAxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGANd8f5KcdKpC6aWQkZ2o0BAQAAAAAAAL7HUEdkQcwBsiV2pG603rwAAAAAAgAMAE4AQQBNAEkAQwBTAAEADABEAE8AVABOAEUAVAAEABYAbgBhAG0AaQBjAHMALgBoAG8AbQBlAAMAJABkAG8AdABuAGUAdAAuAG4AYQBtAGkAYwBzAC4AaABvAG0AZQAFABYAbgBhAG0AaQBjAHMALgBoAG8AbQBlAAgAMAAwAAAAAAAAAAAAAAAAMAAApZRtM6dDXL2sLVsuvKIwgi7crGIoHbbi4+zCJT5v5DkGAAQABAAAAAoAEAAAAAAAAAAAAAAAAAAAAAAACQA4AEgAVABUAFAALwBkAG8AdABuAGUAdAAuAHMAZwAuAGMAaAAuAG4AYQBtAGkAYwBzAC4AYwBvAG0AAAAAAAAAAAAAJl5jL5rgxFbQaBk9+og2
Cookie: country="IT"; _pk_id.1.5754=aca9ea31b4379419.1310049479.21.1310565115.1310560777; _pk_ses.1.5754=*; L=D

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=1F61E0C1FBFFC30E6EBF4FB600752F99; Path=/
Content-Encoding: gzip
Vary: User-Agent
Content-Type: text/html
Content-Length: 4339
Date: Wed, 13 Jul 2011 13:53:43 GMT

Coordinator
Jul 13, 2011 at 3:40 PM

Possibly. It does look like there was some Negotiate exchange, but it might not have completed. Lets split the client/server problem.

  1. Start by trying the waffle demos, which are known to work - can you get the correct logon with any of them?
  2. Once (1) works well compare the HTTP exchange between the two, we'll get a clue of what's different and whether, for example, the OAuth authenticator is doing something funny.

I've never heard of anyone getting Confluence/JIRA/etc. to integrate with Waffle. In theory this should just work and it would certainly be useful to many people. It's a small challenge :)

Jul 13, 2011 at 4:02 PM
Edited Jul 13, 2011 at 4:13 PM

I am working with the examples... Hm. I have my FF not configured for SSO, but when I put my credentials there, they are displayed correctly.
Only my IE seems to logon with wrong credentials. Is it possible, that they are saved anywhere? (because I tried to login with them some time
ago) I just deleted full browser history. Didn't help. What else? Hm, just deleted corresponding Windows credentials from local vault... Will re-
boot now and try again...

[EDIT]

It works now! Wonderful. Thanx for being here. If I also find a solution for the permissions in confluence, I'll do a posting for the rest of the
world...

Coordinator
Jul 13, 2011 at 4:12 PM

Wait, so what was the problem exactly? You had something saved in the Windows credentials vault?

Jul 14, 2011 at 7:28 AM

Yes, I think so. In my early tests I tried zu Login as that user when the pop-up came and clicked on "save credentials".

Aug 13, 2011 at 8:00 AM

Hi Christian Schroed,

Can you please detail/document how you did this with Atlassian Confluence? I am also trying to get Confluence to work with Waffle. Thanks alot.

Regards,
Lee

Aug 15, 2011 at 7:39 AM

Hi zionyx,

I took the configuration files, removed every line of the seraph authenticator and put in the lines from the waffle examples. Then it worked, but I still had a problem with
the autheticated name, because it seems that confluence did not understand the \\ so I manipulated the waffle files to use only the second part of the login e.g.
(BLA\\crschroeder -> crschroeder). I will start to work on this issue today again. I am now working on the problem, that there is an IIS in front of the tomcat, which will not
send the credentials to tomcat to authenticate (it is no waffle problem, but a IIS configuration problem, but maybe someone has a hint).

Best wishes

Christian

PS: When your in need of more information, just post...

Coordinator
Aug 15, 2011 at 12:45 PM

If you have an IIS in front, you may need to terminate Negotiate on it. This is because IIS worker process needs to be running as the remote user, there's no poxying of credentials. Depending on how you make the request from IIS -> Tomcat you'll get the creds. But now with Waffle you don't need IIS, so I would spend my energy on removing it. 

Aug 16, 2011 at 2:52 PM
Edited Aug 16, 2011 at 2:53 PM

Thanks a lot Christian. I'll give it a shot and see how it goes.
Also many thanks to waffle team for this cool solution.