MixedAuthenticator + IE8 negotiate not working

Oct 28, 2011 at 2:52 AM

I have just discovered this brilliant project and have been playing with the MixedAuthenticator sample that uses the tomcat Valve.  I can't get IE to work with the Login w/ Current Windows Credentials button.  I always have to use the form authentication.  Firefox works fine, after I configure the browser to trust localhost.

After reading this site, in particular the part about configuring IE to recognize localhost as being in the Intranet, I tried to perform the suggested configuration but can't because I don't have permissions.  So i tried a test where I just changed the Valve line in context.xml from...

<Valve className="waffle.apache.MixedAuthenticator" principalFormat="fqn" roleFormat="both" allowGuestLogin="false" />

to

<Valve className="waffle.apache.NegotiateAuthenticator" principalFormat="fqn" roleFormat="both" />

Just by making that one change, IE is now successfully able to authenticate automatically using AD.  However changing the Valve back to MixedAuthenticator and it can then only authenticate using the FORM mechanism.  Since IE does work with the NegotiateAuthenticator valve, i would assume it is not a browser configuration issue. 

Coordinator
Oct 28, 2011 at 4:43 AM

Odd. Could you maybe dump the HTTP conversations and diff them?

Oct 31, 2011 at 6:37 AM
Edited Nov 1, 2011 at 12:24 AM

I've obtained the http header traces for firefox and IE. 

In summary, the difference between IE and Firefox using the MixedAuthenticator valve is as follows...

  • firefox sends a valid certificate in the Authorization header (oXcwdaADCg.......) with the 1st POST request
  • IE doesn't send a certificate with the 1st POST, it gets a 401 back and then sends a different certificate (YH0GBisGAQUFAqB...) compared to the one firefox sends, with the 2nd POST request.  Server returns 200 but user is not logged on and the login form is displayed.

When using the NegotiateAuthenticator valve, IE sends 3 GET requests

  • request 1 contains no Authorization header.  401 response as expected
  • request 2 contains an incorrect Authorization header (YH0GBisGAQUFAqB...), the same one IE POSTS when using the MixedAuthenticator.  401 response again.
  • request 3 contains the correct Authorization header (oXcwdaADCg....), which is the same one the FIREFOX sends with its very first request.  It gets a successful 200 response.

Forgive my ignorance but what are these 2 certificates being used by IE?  Is this something to do with SPNEGO vs NTLM?  Also why does IE try 3 times using the NegotiateAuthenticator and only 2 times using MixedAuthenticator?

Here's the IE + MixedAuthenticator HTTP headers 

POST /workinstructions/index.jsp HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://localhost:8080/workinstructions/index.jsp
Accept-Language: en-AU
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: localhost:8080
Content-Length: 18
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=640E5B8A47C221C1E70BEB1C7E6103B8

j_negotiate_check=

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Connection: close
Content-Type: text/html;charset=utf-8
Content-Length: 954
Date: Mon, 31 Oct 2011 04:30:57 GMT


POST /workinstructions/index.jsp HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://localhost:8080/workinstructions/index.jsp
Accept-Language: en-AU
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: localhost:8080
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Authorization: Negotiate YH0GBisGAQUFAqBzM...
Cookie: JSESSIONID=640E5B8A47C221C1E70BEB1C7E6103B8


HTTP/1.1 200 OK - (MISLEADING BECAUSE IT ACTUALLY RETURNS THE LOGON PAGE)
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 680
Date: Mon, 31 Oct 2011 04:30:57 GMT

 

Here's the FIREFOX + MixedAuthenticator headers

POST /workinstructions/index.jsp HTTP/1.1
Accept: test/html, application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://localhost:8080/workinstructions/index.jsp
Accept-Language: en-gb,en;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Accept-Encoding: gzip, deflate
Host: localhost:8080
Content-Length: 18
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Cookie: JSESSIONID=8DFB4C3D2072833794A651ADC8027288
Authorization: Negotiate oXcwdaADCgEBoloEWE5UTE1TU1AAA...

j_negotiate_check=

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAABDh+CIwTbjqQAAAAA=
Set-Cookie: JSESSIONID=959A295C860F8F3F3471618145470B47; Path=/workinstructions/; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1412
Date: Mon, 31 Oct 2011 05:17:04 GMT

 

Here's the IENegotiateAuthenticator HTTP headers...

GET /workinstructions/index.jsp HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-AU
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727)
Accept-Encoding: gzip, deflate
Host: localhost:8080
Connection: Keep-Alive

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 10:00:00 EST
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Connection: close
Content-Type: text/html;charset=utf-8
Content-Length: 954
Date: Mon, 31 Oct 2011 04:40:04 GMT

GET /workinstructions/index.jsp HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-AU
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727)
Accept-Encoding: gzip, deflate
Host: localhost:8080
Connection: Keep-Alive
Authorization: Negotiate YH0GBisGAQUFAqBzM...

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 10:00:00 EST
WWW-Authenticate: Negotiate oYIBCTCCAQWgAwoBAaEMBgorBgEEAYI3AgIKooHvBIHsTlRMTVNTUAACAAAACgAKADgAAAAVwoni5WlSD8fDY1bweHkBAAAAAKoAqgBCAAAABgGxHQAAAA9EAEUAVgBPAEMAAgAKAEQARQBWAE8AQwABABwATwBTAFMAQwAtAEQARQBWAC0AUwBXAEIAMAAxAAQAFgBkAGUAdgBvAGMALgBsAG8AYwBhAGwAAwA0AE8AUwBTAEMALQBEAEUAVgAtAFMAVwBCADAAMQAuAGQAZQB2AG8AYwAuAGwAbwBjAGEAbAAFABYAZABlAHYAbwBjAC4AbABvAGMAYQBsAAcACADUU+Ioh5fMAQAAAAA=
Connection: keep-alive
Content-Type: text/html;charset=utf-8
Content-Length: 954
Date: Mon, 31 Oct 2011 04:40:04 GMT

GET /workinstructions/index.jsp HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Accept-Language: en-AU
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727)
Accept-Encoding: gzip, deflate
Host: localhost:8080
Connection: Keep-Alive
Authorization: Negotiate oXcwdaADCgEBoloEWE5UTE1TU1AAA...

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: private
Expires: Thu, 01 Jan 1970 10:00:00 EST
WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAABDh+CIwTbjqQAAAAA=
Set-Cookie: JSESSIONID=9414968CED673C2A777DB3E388C68C48; Path=/workinstructions/; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1500
Date: Mon, 31 Oct 2011 04:40:04 GMT

Coordinator
Nov 1, 2011 at 10:56 PM

First thing first, these are not certificates. They are some kind of opaque blob of stuff ;) These are very different conversations, you're doing GETs in the second one and POSTs in the first, in a way this could be apples and oranges.

In the second it's pretty clear waffle is taking the call, but I think in the first it's not. Can you make the mixed demo work in your environment - what's the different in POST parameters between the two?

Nov 3, 2011 at 1:18 AM

I found the issue.  My login.jsp (taken from the sample in subversion) had the negotiate form coded as follows. 

<form method="POST" name="loginform" action="index.jsp">
  <input type="hidden" name="j_negotiate_check"/>
  <input type="submit" value="Login w/ Current Windows Credentials"/>
</form>

Note the j_negotiate_check is a form input which is POSTED to the server.
It seems that when IE gets the 401 the first time and it resends the request to the server, it fails to resend this form parameter, so waffle doesn't retry the authentication.

To resolve it, the form should be as follows...

<form method="POST" name="loginform" action="index.jsp?j_negotiate_check=">
	<input type="submit" value="Login w/ Current Windows Credentials" />
</form>

with j_negotiate_check added onto the URL the form gets POSTED to.  This way, the parameter is always included when IE retries the POST after the 401 error.

I note that on the website, you DO have the form coded correctly, however in the downloaded samples, the form has j_negotiate_check as a hidden input field.

For interest, here's the HTTP header conversation with IE8 + MixedAuthenticator valve when j_negotiate_check is part of the URL...

POST /workinstructions/index.jsp?j_negotiate_check= HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://localhost:8080/workinstructions/index.jsp
Accept-Language: en-AU
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: localhost:8080
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=5DF77EF1C7F5D4BFD6CE6C63F713685E


HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Connection: close
Content-Type: text/html;charset=utf-8
Content-Length: 954
Date: Thu, 03 Nov 2011 00:03:18 GMT


POST /workinstructions/index.jsp?j_negotiate_check= HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://localhost:8080/workinstructions/index.jsp
Accept-Language: en-AU
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: localhost:8080
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Authorization: Negotiate YH0GBisGAQUFAqB...
Cookie: JSESSIONID=5DF77EF1C7F5D4BFD6CE6C63F713685E


HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate oYIBCTCCAQWgAwoBAaEMBgorBgEEAYI3AgIKooHvBIHsTlRMTVNTUAACAAAACgAKADgAAAAVwoniSdUxwhHFOu5genkBAAAAAKoAqgBCAAAABgGxHQAAAA9EAEUAVgBPAEMAAgAKAEQARQBWAE8AQwABABwATwBTAFMAQwAtAEQARQBWAC0AUwBXAEIAMAAxAAQAFgBkAGUAdgBvAGMALgBsAG8AYwBhAGwAAwA0AE8AUwBTAEMALQBEAEUAVgAtAFMAVwBCADAAMQAuAGQAZQB2AG8AYwAuAGwAbwBjAGEAbAAFABYAZABlAHYAbwBjAC4AbABvAGMAYQBsAAcACAB4pjH+u5nMAQAAAAA=
Connection: keep-alive
Content-Type: text/html;charset=utf-8
Content-Length: 954
Date: Thu, 03 Nov 2011 00:03:18 GMT


POST /workinstructions/index.jsp?j_negotiate_check= HTTP/1.1
Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*
Referer: http://localhost:8080/workinstructions/index.jsp
Accept-Language: en-AU
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: localhost:8080
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: JSESSIONID=5DF77EF1C7F5D4BFD6CE6C63F713685E
Authorization: Negotiate oXcwdaADCgEBolo...


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
WWW-Authenticate: Negotiate oRswGaADCgEAoxIEEAEAAABDh+CIwTbjqQAAAAA=
Set-Cookie: JSESSIONID=CE7FEDB69FFA900142906A2EF83EBA46; Path=/workinstructions/; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1412
Date: Thu, 03 Nov 2011 00:03:18 GMT