NegotiateAuthenticator works only for FF, not for IE

Jul 13, 2011 at 2:37 PM

Dear all,

I have set up waffle with the following in my context.xml:

<Context>
  <Valve className="waffle.apache.NegotiateAuthenticator" />
  <Realm className="waffle.apache.WindowsRealm" />
</Context>

On request to my Site, the server sends a 401 Response with

WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM

If I try this with Firefox, it sends the next request with NTLM information, gets authenticated, everythings fine
With IE however, it tries to send the next request with Negotiate information and the server responds with 400 - Bad request

I am not sure where to look for the error here, wheter it's my IE config or my waffle setup which messes things up.

Any help on this would be appreciated

Coordinator
Jul 13, 2011 at 2:41 PM

Start by Troubleshooting Negotiate. It will have the next steps.

Jul 13, 2011 at 2:54 PM

Already did so did'nt help. But meanwhile, I found the solution. Its in the very last FAQ entry which I must have overlooked before (the one with the too big Kerberos ticket), I increased the maxHttpHeaderSize, now it works great

Thanks for the fast reply anyway (and sorry for the request in the first place, since it was once more just a case of RTFM)

Coordinator
Jul 13, 2011 at 2:57 PM

No problem. These issues are completely illogical :) Btw, do me a favor, do you also get an error from waffle when this happens (in server-side logs)?

Jul 14, 2011 at 6:06 AM

I checked. There aren't any messages except the ones where I successfully authenticated myself with Firefox.

My guess would be since the request is 'malformed' anyway, Tomcat doesn't try to authenticate but just sends the error message back to the browser, the Valve won't be activated/called at all. But that's only speculation ;)