401 Unauthorized message on SSL transport and "Internet Explorer cannot display the webpage"

Aug 3, 2011 at 4:09 PM

Our implementation requires that our JBoss servers are fronted with Apache running SSL, mod_rewrite, mod_Proxy and mod_security.

We have successfully tested our scenario and we are able to access the Java apps going through apache via SSL and waffle is able to access the user SPN and we can see the Kerberos negotiation going across the wire and all of this works when our client desktop is Windows XP.

However, we are noticing that when we use Windows 7 and if we connected using SSL we get “Internet Explorer cannot display the webpage”. As a test we reconfigured and turned off the extra modules (SSL, mod_rewrite, mod_Proxy and mod_security). It turns out that mod_sll maybe the issue. So just fro grin we allowed Apache to accept  HTTP (NOT SSL)  request and if we hit the web app on HTTP all works but it will not work when we got HTTPS and get HTTP/1.0 401 Unauthorized.

Why would we have a different behavior between XP and Win 7. I am confused to the fact that it looks like the communication is either lost or refused. Does any one know how we can resolve it? See the HTTPheaders below,  we tested three scenario.

Thanks in advance,

Max

 

HTTPHeaders dump from Windows 7, IE 8 going through Apache to access JBoss (Final response 401 Unauthorized)




 

HTTPHeaders dump from XP, IE 8 going through Apache to access JBoss (Final response 200 OK)

 

	GET /SSO/servlet/MyTest HTTP/1.1
	Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
	Accept-Language: en-us,zh-TW;q=0.5
	User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C; .NET4.0E; MS-RTC LM 8)
	Accept-Encoding: gzip, deflate
	Host: xxx.xxx.gov
	Connection: Keep-Alive

	HTTP/1.0 401 Unauthorized
	Date: Wed, 03 Aug 2011 11:45:36 GMT
	Server: Apache-Coyote/1.1
	X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
	WWW-Authenticate: Negotiate
	WWW-Authenticate: NTLM
	WWW-Authenticate: Basic realm="BasicSecurityFilterProvider"
	Content-Type: text/html;charset=utf-8
	Content-Length: 954
	Via: 1.1 xxx.xxx.gov
	Connection: close

	GET /SSO/servlet/MyTest HTTP/1.1
	Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
	Accept-Language: en-us,zh-TW;q=0.5
	User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C; .NET4.0E; MS-RTC LM 8)
	Accept-Encoding: gzip, deflate
	Host: xxx.xxx.gov
	Connection: Keep-Alive
	Authorization: Negotiate YIIHdQYGKwYBBQUCoIIHaTCCB2WgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBzsEggc3YIIHMwYJKoZIhvcSAQICAQBuggciMIIHHqADAgEFoQMCAQ6iBwMFACAAAACjggZNYYIGSTCCBkWgAwIBBaEJGwdDREMuR09WoiowKKADAgECoSEwHxsESFRUUBsXYXB0LXYtaHN0cC13ZWIxLmNkYy5nb3ajggYFMIIGAaADAgEXoQMCARKiggXzBIIF79VapfMD0G6GlobfdvzpSfzWMeKYlbX+fUOHm7Ri+7nEK0mTKJdXby3r6X9EEBqxcg9Yrno1do7zcDVI2meHRuvnlAa6R894ubvHsW4Hr2t1a3LXx48cvTx13dzQQJAByLwiyu9cx5HK2PLjg30G60kGz2HURoxsGuqtC28JX1FjCJZFiUTCTSIoAL/GgGk5h1Fyy7fmaR/6FetjQfiFV+O2PtnD1vz6Zzhr6uvJcJfQ8PT0vSM+2sBUX8zFL0IRdsMawPX4JsrXsiFqyEnv5brUkQQWrV5xJFb2n2LzI7UOU6dMKPJR3IDR+OefIzFjYVVF43MnePDgAdyWBWpYn9gFKrks0jJHzq/OLSnD6WRyutGVoVIrbuSMsdJvjxzOPjYAzkjHGYZF9ReP5TgFLm5kWA0LlGN3S7A5KZqAn5MrEv4xp7ydLGLJ2NWK56Me3uvFbrjLqJoISP/oiQDeH9tVboOEhArc3GmpXirUapmuvh2COWvd4R58HFDTZo4jnLWhxtC8DA2qeSpq5NBCVhioqzh7XOZzIHSxDGOZ+TqnVMLSz02IHdkL3TCIurMIIikGbga2lQ5IR36/ituEOLrxvK6Udpf2uWFfGi60Hmp8mQ7WwMWWT0pmoZxi/RCgwzpm46QXLpK45lCT4jEX1mZ9jsOaVqsFIWtYmmlb4WPRfPKcyMlL2z/qNVMPbt5KcyWMwazSlGJcsiLNcsOjNl6TLtc7+KvxMyjqmjXShkcy/4K6q6iFP+H1cKuLgGHWChz1j3d4ET+/91fPfhy1tZRHyU3IsYSsLvk3r37uJTcsZmRnXwlLkJmYtm5hdRRPrjQDTuCYo43LvTOpt6F0WmEvt3qSY2lAZeS/9gqBlnOamqOeeDI1oYBcCsAd3dBQs1MROjiGsC9OQCd4RvTTdDB2gWRdtxmo2mToZe4OjrY8jZluI7U7Rz6kBLVGKtSubX7gP6C/Z5eP7mbbwd345tINgWsaUKV988JMo+64JI4cjAf1XX7joWG5CwGHpBJ59MLQtS6EnA+zLeUYF87CenBskMAklTaSCRSAZsrQNzCyed9jSNUg+Lubo2GByNNr1vQKE2vfExBp0XqWKOKPO4f+7RSZ0IUV9AsVqzqFedN/ZVROMDfNlr1Mb0pwO2YRNISKx3L1QwR/iQi6h2uM5d4GP7DOBc1Hh5rDMs37NppzJRM63sUzAKYegD+82nYVf7vy6beBzXpAlqMJD4JZmIOznhnMZBiQ975AB3KPW+3N4W1vbZ5QuEKu7LCkiOsAERJc/AYDR8EEIdhIATASkZu8lrag93eHysx3bWV5/vjCpl9HI+d2dKfb8ZVWbz8oVS2rF8bxHY9/BEFmUNUAZrXR6HQVIu7JoaKiDSOl1t4iJ9EY703yhlfMyLNUpRrQswbkBhKYlu7N2I1OpJ3PY8i3F1XY7Qwr+R37qJhkyfc2X5s6LE60MX3vi3GCSdPz0Axy7zLh6GZTHvtbAo34jvOK4w1lQqIeE8FggSpJyEYYGSBFoStZ6pKDz9Iyxd/J/pxsHwUrkLzMO066Sg4hYauMB86N9nIIPA6T8VSwXV0h2nK9b/taNLMuKyoBfM2EUbt2ZnIpULkXjS3GXgNWi04W3pRLa8aSes/28btibasV4MtHRPFAinsaDtnWzwWaRqXpuT73zLvL7+Yt0cZV42evoSsdmD0Su9FOMybhFZJr5pcagsDSvj9BueWCm0tpaLD7h//2nkuS+y1etuvNDm6pHzzgUrTnZ/Vbu/jKRdo9cIJLI/dqTbzBi8/dgPzYolJZRFqHm8JCesrcwKrjiK6cQe587q8ayXE46B6/s1uww0Ra04Y7V/Ie/Rg0jRgplAe7RtuRvyUaCXwjSHPbYUtO8U7KgREiyTxs67JYsi9Bu2vXPkrtxBP67Fk3GTyhMeIwtnsPRznWfsk2hUQc0Eo3YftYKWptz3NUY9OGzoO2cykHSL7VsLgwfLeXSQjj6nQpTTHYfyb/9LLPq1rTy1NvviyOTF1kRmX4j6dV7fmkgbcwgbSgAwIBF6KBrASBqQLHPIqlzGCqkxfvBx6+DlVY+CA8JW5bE6A5u8kV5e/zUrqcOBmKzUCqBgxkOcH8aDXM3ZHz4ojF+Ds6lvliPQEmnYcGI4TVj5wVZGDMN58PWOxPZYOhINAIBDc3pgvaGJGLSGJ0LELpIaIMuzMwOLlOXXQD8Zc/OPcjyhEC2Q2sVNktTr9E4IGgUOdD+9hVbfz1a6fLPgRCk43PSfVPCOSJcnuPtfDfOrw=

	HTTP/1.0 401 Unauthorized
	Date: Wed, 03 Aug 2011 11:45:38 GMT
	Server: Apache-Coyote/1.1
	X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
	WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=
	Via: 1.1 xxx.xxx.gov
	Connection: close
	Content-Type: text/plain

	GET /SSO/servlet/MyTest HTTP/1.1
	Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
	Accept-Language: en-us,zh-TW;q=0.5
	User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C; .NET4.0E; MS-RTC LM 8)
	Accept-Encoding: gzip, deflate
	Host: xxx.xxx.gov
	Connection: Keep-Alive
	Authorization: Negotiate oS4wLKIqBChOVExNU1NQAAEAAAAHggiiAAAAAAAAAAAAAAAAAAAAAAUCzg4AAAAP

	HTTP/1.0 401 Unauthorized
	Date: Wed, 03 Aug 2011 11:45:38 GMT
	Server: Apache-Coyote/1.1
	X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
	WWW-Authenticate: Negotiate oYHeMIHboAMKAQGigdMEgdBOVExNU1NQAAIAAAAGAAYAOAAAAAWCiaIutevFTwpXnQAAAAAAAAAAkgCSAD4AAAAGAbAdAAAAD0MARABDAAIABgBDAEQAQwABAB4AQQBQAFQALQBWAC0ASABTAFQAUAAtAFcARQBCADEABAAOAGMAZABjAC4AZwBvAHYAAwAuAGEAcAB0AC0AdgAtAGgAcwB0AHAALQB3AGUAYgAxAC4AYwBkAGMALgBnAG8AdgAFAA4AYwBkAGMALgBnAG8AdgAHAAgAUAe13dJRzAEAAAAA
	Via: 1.1 xxx.xxx.gov
	Connection: close
	Content-Type: text/plain

	GET /SSO/servlet/MyTest HTTP/1.1
	Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
	Accept-Language: en-us,zh-TW;q=0.5
	User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.2; .NET4.0C; .NET4.0E; MS-RTC LM 8)
	Accept-Encoding: gzip, deflate
	Host: xxx.xxx.gov
	Connection: Keep-Alive
	Authorization: Negotiate oYIBoDCCAZyiggGYBIIBlE5UTE1TU1AAAwAAABgAGABqAAAAEgESAYIAAAAGAAYASAAAAA4ADgBOAAAADgAOAFwAAAAAAAAAlAEAAAWCiKIFAs4OAAAAD0MARABDAFMASABXADMALQBTAFUARAAyADAAMAA2ADcAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADfxDNE+AmS/KsNuf/WGsaUAQEAAAAAAABQB7Xd0lHMAbZBXm0fFERQAAAAAAIABgBDAEQAQwABAB4AQQBQAFQALQBWAC0ASABTAFQAUAAtAFcARQBCADEABAAOAGMAZABjAC4AZwBvAHYAAwAuAGEAcAB0AC0AdgAtAGgAcwB0AHAALQB3AGUAYgAxAC4AYwBkAGMALgBnAG8AdgAFAA4AYwBkAGMALgBnAG8AdgAHAAgAUAe13dJRzAEKABAAXAFDVIKRTbMC0hjX3LfBZwkAOABIAFQAVABQAC8AYQBwAHQALQB2AC0AaABzAHQAcAAtAHcAZQBiADEALgBjAGQAYwAuAGcAbwB2AAAAAAAAAAAA

	HTTP/1.0 200 OK
	Date: Wed, 03 Aug 2011 11:45:41 GMT
	Server: Apache-Coyote/1.1
	X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
	WWW-Authenticate: Negotiate oQcwBaADCgEA
	Content-Type: text/html;charset=ISO-8859-1
	Set-Cookie: JSESSIONID=5633583F3438BDF187CFB10B3250D5FF; Path=/SSO
	Via: 1.1 xxx.xxx.gov
	Connection: close

 

 

HTTPHeaders dump from Win 7, IE 8 going directly to JBoss (Final response 200 OK)

 

	HTTP/1.1 401 Unauthorized
	Server: Apache-Coyote/1.1
	X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
	WWW-Authenticate: Negotiate
	WWW-Authenticate: NTLM
	WWW-Authenticate: Basic realm="BasicSecurityFilterProvider"
	Connection: keep-alive
	Content-Type: text/html;charset=utf-8
	Content-Length: 954
	Date: Wed, 03 Aug 2011 11:34:10 GMT

	GET /SSO/ HTTP/1.1
	Accept: */*
	Accept-Language: en-us
	User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; MS-RTC LM 8)
	Accept-Encoding: gzip, deflate
	Host: xxx.xxx.gov:8080
	Connection: Keep-Alive
	Authorization: Negotiate YIIItwYGKwYBBQUCoIIIqzCCCKegMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCHEEgghtYIIIaQYJKoZIhvcSAQICAQBugghYMIIIVKADAgEFoQMCAQ6iBwMFACAAAACjggbrYYIG5zCCBuOgAwIBBaEJGwdDREMuR09WoiowKKADAgECoSEwHxsESFRUUBsXYXB0LXYtaHN0cC13ZWIxLmNkYy5nb3ajggajMIIGn6ADAgESoQMCARKiggaRBIIGjen/KjoyZWNw5nZRGweZcp6KFkRtvEC/oKuGm2ZojsVTWSnYau75gVzx9DlB/hCOHkxuf+T9cqvbr7DtX5T+Bc8nSn47jPmiUr3VXVPnWrx4agtF3x8amPs7x/ClDPqjEqfh/yJ9c8o3z+4SdDyFGHbOcvuZg48bZ2Fu++1OIafxrK+wnY6V6UeIzfV3MQN8/oYloullt5LtFhm48vYA0qOwdYm/gDFthXKqaM5axSmZP+tdeX3OqkX7z7mYlPClsx5fAZdTt28QzncjHmpYDBMgC/KM9ThAh2axtwl/2u63Jhme5NYgHptPZS9oi4S/IqFjzPAg0FFmI1qde4sxEGqgzkQj+o8EiNvPS54TYyA58Bi5+NtM3xBNNcZ0zDtpCMTObEGmhp6A2Ss5n9d5bShQwSlMcNdJODRRDDrYX8/S8gw8RS0Yf6KjWZhEvtGSVPFsHUS72Hbz7lpF8WtevQYblC3JtrluGLb7EiOXAnrxLwI0Q7X2P4jKm9qcr3butliF6N6+6Ghq/X2gtY4p4AJUimD8lutmnQSP9mr7458D+cdT+n99PyIHHAun2a7PMOR2Ia6iXIK0+Z+6P4WdFQx2PbHPHXbfu4c0f5CqeQWMAyWISEIvDFJ3+f82VypvleHAajIIipjV/+xW4/FiGXRwxkdUTI8hHCRnt02LsknmsOM0KuBGBi7Gu2cBspgeBxMVwDMepSNtWn2I+9QVV2SJ+uIlznCRZ5xYMHf3CCUnSkz7Orjd4xt47bQ1lJzKJ6azst8ABzgYmJBf88FCSdLHlyotnNiMYG/XxDAdSHle0iG/WMg6Fg1c4o1blvdRB9dK1wQ8yNamKPbBUDqRpSVtkaq2zVx0T6ZM/c7Iki5dhY8DsxcENicTCAFtQ2JGpthia3k9L2woKsqecDGeima+K+zea+oS1K8vCz/yFjOOD1zu0onnV86ab7vwsx6bHgfb7QuEvduJgs1f9e7i06+YcqBdck5U0Ph8YjMRfQtfU3I0bfT/7Oiv8jIm/ui1i4R5SJk0Tv+u8351OrAw+rjjC0w7kY43Tc6Tquo5Sagzjh/lBfdLIqT/04U4WBAJPD3q5uKo9vVTk6B9VwF0h8E+FsOnYSsJgIm3RFgKCnoz/EHIwNGLKC3780f7IVJ8DQpdtc/o/V8L6SvqCBa0Xw/HkAeaVcXSzGWWh4wjwkummnqCPKPL6ODnCnuF6Ae/pPj3oSC2y7U3b9dzhSWIBTm7rCpJwfNVAAcpbOsXgLoWjSTNwW87j6Ro6cLKLGVrXMVy5wLnF6pkrhjjS3t95mKE3iy8AC48EOb077p7jleXgOWsV5uYcj0ycXZb2TmL2AJcmxb1TyUGhjh6rXTCHlz/LrMuDy6pCX9af6f5WVTnQsxqCtuYwy/K5NYEdSPENx3R2AesTaBR3VztUMbvpymUUSDj83xCnmoHxLTbXEKqA2QxYUmkh4s5w0mbVyuZjgPK28CUMKGYpy5vS9z93lbUHtd12s01pnLAxG/2reYCZAL13isjyl7KvAVTt+x+GrJgUK3+zB0wsolc8MPRmD2e5UJ7nMaSNPYT+3w3g5G2Xj+97MLWcC2oSYolKFVh67qZNCdwGWHdAWIm1jkxVrk3/kONR9/fm1OUfyN6KB0UsXOhyrB+NTQROm4hfh2Pnwq54tb2GPAO9RR56s27u+b429B8NVxxmTNDArmnaQ+PdaM8LRZaJZ0CVHuZcPSa/khyioUa95W6kc2CmeSEPnd1Pupr6yma3oskXapuploHfjJsRRvE5Wq60OolRqII6JKCBi7WNCaEnc5PGzKozESc+TKTw5AeMQTzShH+rnGu8T0KbYP1FGAxRMfREWcqsFNXYYHeYq3YADND06/OPKb0KkhK51EnstTrFsTBGfYkNAKKGpatRudfT4bNAeLcy411mQ2luShGG0etSIn7y8rLtrkFQ9f5KC/fm196PjXAhvedWeEz9X6eRHdPl2Sb9YgjBTikhfDfjdF0+Fw1k08Kdu3xkOSdojcZWqt1b7w/NLig/FPJ5m2FsawZ1P171aMvxsT9BKSHCrZtkc0jWR3QGegPRpy8BR/bUPVO5SDUU7hxD/sdR2oksG/0r2lUSnLt9AtnIvfDfceDIEYm6Gy+3sDYiBtGyGmUeKVuaiQQnxi2bHCOwQ8/+uPBiez6mVfcZZv6eNk1EZWYbi3eJ3ldPpd211dJrPXpdGcHqUFaLFXDN30fpc+ItqWAj6SCAU4wggFKoAMCARKiggFBBIIBPQRiB88yZni2bkpBly9UggB/aBveOiJl3XF2eFgolilw9tOh3mMstYFZx4xtpXrDSPyFc5XrurVGBQVSXaoqEccjOJZn0FoI5jrm7T72J6n+WsU0Gfof5S8DKhsZWeBxTEmkXHDIj73BLpddSihIfU20XsrvocGolwCAY4g2nsFjusk9ubE7ux8GX6ElpQpsYkeSH5UNsIJl0D4dCvPg0y1Vn+IF14cDblJg0Y3G/tI/UZ+BIZEobK+6YTZ/j8sgQiaSr4H39K+uV6jCD6e6eaHMAENVjShwYFrepETnYu6vFkV0Wg/Hw0gWEODgiRRoP9iPpgwGifiCMVp9bsEAHDTWLg24rTLKY8VQ061SEBiHnljDxU+xaYUEwTTVZ6wPk6gHtSY2pnaY9el75Ep94e4OZ9CQXxV2HfsSuQ76

	HTTP/1.1 401 Unauthorized
	Server: Apache-Coyote/1.1
	X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
	WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=
	Connection: keep-alive
	Transfer-Encoding: chunked
	Date: Wed, 03 Aug 2011 11:34:12 GMT

	GET /SSO/ HTTP/1.1
	Accept: */*
	Accept-Language: en-us
	User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; MS-RTC LM 8)
	Accept-Encoding: gzip, deflate
	Host: xxx.xxx.gov:8080
	Connection: Keep-Alive
	Authorization: Negotiate oTMwMaADCgEBoioEKE5UTE1TU1AAAQAAAJeCCOIAAAAAAAAAAAAAAAAAAAAABgGxHQAAAA8=

	HTTP/1.1 401 Unauthorized
	Server: Apache-Coyote/1.1
	X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
	WWW-Authenticate: Negotiate oYHeMIHboAMKAQGigdMEgdBOVExNU1NQAAIAAAAGAAYAOAAAABWCieIpP2EZljaJYwAAAAAAAAAAkgCSAD4AAAAGAbAdAAAAD0MARABDAAIABgBDAEQAQwABAB4AQQBQAFQALQBWAC0ASABTAFQAUAAtAFcARQBCADEABAAOAGMAZABjAC4AZwBvAHYAAwAuAGEAcAB0AC0AdgAtAGgAcwB0AHAALQB3AGUAYgAxAC4AYwBkAGMALgBnAG8AdgAFAA4AYwBkAGMALgBnAG8AdgAHAAgAl6+1RNFRzAEAAAAA
	Connection: keep-alive
	Transfer-Encoding: chunked
	Date: Wed, 03 Aug 2011 11:34:12 GMT

	GET /SSO/ HTTP/1.1
	Accept: */*
	Accept-Language: en-us
	User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; MS-RTC LM 8)
	Accept-Encoding: gzip, deflate
	Host: xxx.xxx.gov:8080
	Connection: Keep-Alive
	Authorization: Negotiate oYICGTCCAhWgAwoBAaKCAfgEggH0TlRMTVNTUAADAAAAGAAYAHoAAABSAVIBkgAAAAYABgBYAAAADgAOAF4AAAAOAA4AbAAAABAAEADkAQAAFYKI4gYBsR0AAAAPB/kKDa5k1SYLBsenRvSSL0MARABDAG0AYwBtADgALQBzAHUATAAyADAANgAyADUAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAU4MrgapJsJS7gVtSjPmhVAQEAAAAAAACXr7VE0VHMAWsxfzIeZLvKAAAAAAIABgBDAEQAQwABAB4AQQBQAFQALQBWAC0ASABTAFQAUAAtAFcARQBCADEABAAOAGMAZABjAC4AZwBvAHYAAwAuAGEAcAB0AC0AdgAtAGgAcwB0AHAALQB3AGUAYgAxAC4AYwBkAGMALgBnAG8AdgAFAA4AYwBkAGMALgBnAG8AdgAHAAgAl6+1RNFRzAEGAAQAAgAAAAgAMAAwAAAAAAAAAAEAAAAAIAAAoJF96bEU+sQgih1FTav4agFa5KXHT50pzrDnfA2OrukKABAAAAAAAAAAAAAAAAAAAAAAAAkAOABIAFQAVABQAC8AYQBwAHQALQB2AC0AaABzAHQAcAAtAHcAZQBiADEALgBjAGQAYwAuAGcAbwB2AAAAAAAAAAAAAAAAANas5yPL2KsB/sWLZittZbSjEgQQAQAAAC4HJEI1nKL4AAAAAA==

	HTTP/1.1 200 OK
	Server: Apache-Coyote/1.1
	X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
	WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAACIwwtrnHY7CgAAAAA=
	Set-Cookie: JSESSIONID=72F61AE19F640FE5A8447A1AC33BC120; Path=/SSO
	Content-Type: text/html;charset=ISO-8859-1
	Content-Length: 634
	Date: Wed, 03 Aug 2011 11:34:15 GMT


 

Aug 3, 2011 at 4:36 PM

Just notice that I missed the HTTPHeaders for the first conversation that fails, sorry about that

HTTPHeaders dump from Windows 7, IE 8 going through Apache to access JBoss (Final response 401 Unauthorized)

	GET /SSO/servlet/MyTest HTTP/1.1
	Accept: */*
	Accept-Language: en-us
	User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; MS-RTC LM 8)
	Accept-Encoding: gzip, deflate
	Host: xxx.xxx.gov
	Connection: Keep-Alive
	HTTP/1.0 401 Unauthorized
	Date: Wed, 03 Aug 2011 11:32:19 GMT
	Server: Apache-Coyote/1.1
	X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
	WWW-Authenticate: Negotiate
	WWW-Authenticate: NTLM
	WWW-Authenticate: Basic realm="BasicSecurityFilterProvider"
	Content-Type: text/html;charset=utf-8
	Content-Length: 954
	Via: 1.1 xxx.xxx.gov
	Connection: close

	GET /SSO/servlet/MyTest HTTP/1.1
	Accept: */*
	Accept-Language: en-us
	User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; MS-RTC LM 8)
	Accept-Encoding: gzip, deflate
	Host: xxx.xxx.gov
	Connection: Keep-Alive
	Authorization: Negotiate YIIItwYGKwYBBQUCoIIIqzCCCKegMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCHEEgghtYIIIaQYJKoZIhvcSAQICAQBugghYMIIIVKADAgEFoQMCAQ6iBwMFACAAAACjggbrYYIG5zCCBuOgAwIBBaEJGwdDREMuR09WoiowKKADAgECoSEwHxsESFRUUBsXYXB0LXYtaHN0cC13ZWIxLmNkYy5nb3ajggajMIIGn6ADAgESoQMCARKiggaRBIIGjen/KjoyZWNw5nZRGweZcp6KFkRtvEC/oKuGm2ZojsVTWSnYau75gVzx9DlB/hCOHkxuf+T9cqvbr7DtX5T+Bc8nSn47jPmiUr3VXVPnWrx4agtF3x8amPs7x/ClDPqjEqfh/yJ9c8o3z+4SdDyFGHbOcvuZg48bZ2Fu++1OIafxrK+wnY6V6UeIzfV3MQN8/oYloullt5LtFhm48vYA0qOwdYm/gDFthXKqaM5axSmZP+tdeX3OqkX7z7mYlPClsx5fAZdTt28QzncjHmpYDBMgC/KM9ThAh2axtwl/2u63Jhme5NYgHptPZS9oi4S/IqFjzPAg0FFmI1qde4sxEGqgzkQj+o8EiNvPS54TYyA58Bi5+NtM3xBNNcZ0zDtpCMTObEGmhp6A2Ss5n9d5bShQwSlMcNdJODRRDDrYX8/S8gw8RS0Yf6KjWZhEvtGSVPFsHUS72Hbz7lpF8WtevQYblC3JtrluGLb7EiOXAnrxLwI0Q7X2P4jKm9qcr3butliF6N6+6Ghq/X2gtY4p4AJUimD8lutmnQSP9mr7458D+cdT+n99PyIHHAun2a7PMOR2Ia6iXIK0+Z+6P4WdFQx2PbHPHXbfu4c0f5CqeQWMAyWISEIvDFJ3+f82VypvleHAajIIipjV/+xW4/FiGXRwxkdUTI8hHCRnt02LsknmsOM0KuBGBi7Gu2cBspgeBxMVwDMepSNtWn2I+9QVV2SJ+uIlznCRZ5xYMHf3CCUnSkz7Orjd4xt47bQ1lJzKJ6azst8ABzgYmJBf88FCSdLHlyotnNiMYG/XxDAdSHle0iG/WMg6Fg1c4o1blvdRB9dK1wQ8yNamKPbBUDqRpSVtkaq2zVx0T6ZM/c7Iki5dhY8DsxcENicTCAFtQ2JGpthia3k9L2woKsqecDGeima+K+zea+oS1K8vCz/yFjOOD1zu0onnV86ab7vwsx6bHgfb7QuEvduJgs1f9e7i06+YcqBdck5U0Ph8YjMRfQtfU3I0bfT/7Oiv8jIm/ui1i4R5SJk0Tv+u8351OrAw+rjjC0w7kY43Tc6Tquo5Sagzjh/lBfdLIqT/04U4WBAJPD3q5uKo9vVTk6B9VwF0h8E+FsOnYSsJgIm3RFgKCnoz/EHIwNGLKC3780f7IVJ8DQpdtc/o/V8L6SvqCBa0Xw/HkAeaVcXSzGWWh4wjwkummnqCPKPL6ODnCnuF6Ae/pPj3oSC2y7U3b9dzhSWIBTm7rCpJwfNVAAcpbOsXgLoWjSTNwW87j6Ro6cLKLGVrXMVy5wLnF6pkrhjjS3t95mKE3iy8AC48EOb077p7jleXgOWsV5uYcj0ycXZb2TmL2AJcmxb1TyUGhjh6rXTCHlz/LrMuDy6pCX9af6f5WVTnQsxqCtuYwy/K5NYEdSPENx3R2AesTaBR3VztUMbvpymUUSDj83xCnmoHxLTbXEKqA2QxYUmkh4s5w0mbVyuZjgPK28CUMKGYpy5vS9z93lbUHtd12s01pnLAxG/2reYCZAL13isjyl7KvAVTt+x+GrJgUK3+zB0wsolc8MPRmD2e5UJ7nMaSNPYT+3w3g5G2Xj+97MLWcC2oSYolKFVh67qZNCdwGWHdAWIm1jkxVrk3/kONR9/fm1OUfyN6KB0UsXOhyrB+NTQROm4hfh2Pnwq54tb2GPAO9RR56s27u+b429B8NVxxmTNDArmnaQ+PdaM8LRZaJZ0CVHuZcPSa/khyioUa95W6kc2CmeSEPnd1Pupr6yma3oskXapuploHfjJsRRvE5Wq60OolRqII6JKCBi7WNCaEnc5PGzKozESc+TKTw5AeMQTzShH+rnGu8T0KbYP1FGAxRMfREWcqsFNXYYHeYq3YADND06/OPKb0KkhK51EnstTrFsTBGfYkNAKKGpatRudfT4bNAeLcy411mQ2luShGG0etSIn7y8rLtrkFQ9f5KC/fm196PjXAhvedWeEz9X6eRHdPl2Sb9YgjBTikhfDfjdF0+Fw1k08Kdu3xkOSdojcZWqt1b7w/NLig/FPJ5m2FsawZ1P171aMvxsT9BKSHCrZtkc0jWR3QGegPRpy8BR/bUPVO5SDUU7hxD/sdR2oksG/0r2lUSnLt9AtnIvfDfceDIEYm6Gy+3sDYiBtGyGmUeKVuaiQQnxi2bHCOwQ8/+uPBiez6mVfcZZv6eNk1EZWYbi3eJ3ldPpd211dJrPXpdGcHqUFaLFXDN30fpc+ItqWAj6SCAU4wggFKoAMCARKiggFBBIIBPRE3KihirmzQTY/YgVqQvv3b3Tw0xkZIzeeF0nWY7BrvCxPe6gYv72KXni5iHEZco7P2STBQNXpWoMCeKqYala+4G9HJpCf7BgEsA3y6bGHNQrveBxXqKG8y3xGG2kuHOWenc53dMCSu4j7hWM5lq1gylIraSMptrMDKi1kbfVWU0Ik/kUOCc19W790SRDqo01RDfIK4XqnXeLZEHcICLQ6fRjSpyadjg60ExQC0pula8BCXgx0YsiShPdFawUXFVbKu3Zk1mMPnNLt7mU43errRBOK3po7hicI6hWBkIdi/TWbO5wmJrzdTzwyvo1WhTaW8WYAds+N5yvt3T918YCD3e4NQ1vu/BGuhHuo5Qlc3vF1B/BLAWQwvd3XkG2mwigHRxT7beRJ+ry654NRThzEIbIQijmEvUHZBU8hi

	HTTP/1.0 401 Unauthorized
	Date: Wed, 03 Aug 2011 11:32:21 GMT
	Server: Apache-Coyote/1.1
	X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
	WWW-Authenticate: Negotiate oRUwE6ADCgEDoQwGCisGAQQBgjcCAgo=
	Via: 1.1 xxx.xxx.gov
	Connection: close
	Content-Type: text/plain

	GET /SSO/servlet/MyTest HTTP/1.1
	Accept: */*
	Accept-Language: en-us
	User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; MS-RTC LM 8)
	Accept-Encoding: gzip, deflate
	Host: xxx.xxx.gov
	Connection: Keep-Alive
	Authorization: Negotiate oTMwMaADCgEBoioEKE5UTE1TU1AAAQAAAJeCCOIAAAAAAAAAAAAAAAAAAAAABgGxHQAAAA8=
	HTTP/1.0 401 Unauthorized
	Date: Wed, 03 Aug 2011 11:32:21 GMT
	Server: Apache-Coyote/1.1
	X-Powered-By: Servlet 2.4; JBoss-4.0.5.GA (build: CVSTag=Branch_4_0 date=200610162339)/Tomcat-5.5
	WWW-Authenticate: Negotiate oYHeMIHboAMKAQGigdMEgdBOVExNU1NQAAIAAAAGAAYAOAAAABWCieK2/I+5Qq/l2AAAAAAAAAAAkgCSAD4AAAAGAbAdAAAAD0MARABDAAIABgBDAEQAQwABAB4AQQBQAFQALQBWAC0ASABTAFQAUAAtAFcARQBCADEABAAOAGMAZABjAC4AZwBvAHYAAwAuAGEAcAB0AC0AdgAtAGgAcwB0AHAALQB3AGUAYgAxAC4AYwBkAGMALgBnAG8AdgAFAA4AYwBkAGMALgBnAG8AdgAHAAgAO46zAtFRzAEAAAAA
	Via: 1.1 xxx.xxx.gov
	Connection: close
	Content-Type: text/plain

Aug 4, 2011 at 5:27 PM

Interesting, I am also experiencing same/similar issues with SSL on Apache, can someone please help? thx

Coordinator
Aug 4, 2011 at 10:00 PM

I think the different between XP and Windows 7 is because XP chooses a lower and less secure protocol, while Windows 7 negotiates something else that prevents, for example, a man-in-the-middle attack. Under all those Negotiate blobs the actual security negotiation is probably very different between the two machines.

The next steps are pretty involved. I *think* you end up using Kerberos here rather than NTLM, so I would start with Kerberos logging.

Troubleshooting Kerberos

Troubleshooting NTLM

Let us know what you find.

Aug 5, 2011 at 10:37 AM

Hi @dblock,

Thanks for you kind reply.

But what is really bizarre is the behavior, I admit that I do not fully understand this business with Kerberos, NTLM V1, V2 etc.
But if we just look at the Win 7 clients (which are the issue) I would expect the same behavior (401 unauthorized) regardless of the browser communicating over SSL or clear text.
However it’s not the case, it only fails when the browser connects via SSL.

Since our test indicate that the issue is only when SSL is involved on Win7 do you think the SSL communication is interfering or just noise leading me to the wrong conclusion?

Thanks again

Max

Coordinator
Aug 5, 2011 at 12:03 PM

Nobody fully understands the business with those things, even people in Building 41 that wrote it :)

SSL changes the URL to which you connect and may change the parameters in the Kerberos negotiation (for example, it doesn't need to worry about people stealing data on the wire). But all this is guesswork, you need to take a more methodical approach.

Aug 5, 2011 at 12:31 PM

Thanks for the clarification we will proceed with the additional longing and see which "rabbit hole" it takes as too :-)

max

Aug 8, 2011 at 3:30 PM

As I mentioned from my previous posting that I also have Jboss fronted with an Apache(SSL).  authenication also failed from WIN7 client.

I did some testing during the weekend, I applied SSL setting to my JBoss and removed Apache from same server, authenication seems working fine from both XP and WIN7 clients. 

it looks like Apache SSL was causing issues?  Any input will be greatly appreciated.

 

Aug 16, 2011 at 1:42 PM

@dblock

I Just wanted to update the thread with a possible resolution to our problem. As we continued to test and try to understand what was going on one of my co-workers mentioned that it might be apache and SSL.
So we went back and begun looking at the HTTP headers communication more closely and what we noticed was as follows:

  1.  Apache using clear text keeps the connection alive after each request
  2. Jboss using SSL also keeps the connection alive after each request
  3. Apache using SSL closes the connection after each request

It turn out that our Apache server was closing connections for IE browsers when using SSL. This link http://www.alexmeyer.com/linux/apachekeepalive.html  describes and shows how to override/disable the apache behavior for IE client and keep the connection alive.

After we disabled the feature apache started keeping the connections alive, and our Win 7 clients connecting over SSL are and now able to do SSO.

Thanks,

Max

Coordinator
Aug 16, 2011 at 2:50 PM

Good debugging. This was already in the FAQ - http://waffle.codeplex.com/discussions/244329?ProjectName=waffle !