jjennings
I'm new here

KerberosLoginModule - Failed negotiation

Hi,

We have a test case for the KerberosLoginModule that is working as expected from a few machines.

We were required to adjust some setting in IE 8/9 to get this working properly, but it is working.

A test customer has tried to access the test page using the same settings that is working for us, but he only receives a white page.

We assumed there is something that is still not correct with his IE settings, but we verified them on our end and they work for us.

We looked at the log files and saw a difference which makes us think there may be something else at work.

Here is the log entries of a working Kerberos attempt. The login fails but that is what we expect since the user is anonymous - and is shown different content.

12:23:39,797 DEBUG [LoginManager] [SessionId: DDD0421EC93BDE9195A5DFDD5A59F7E5] Trying to login user using login-package 'Kerberos'...

12:23:39,797 DEBUG [LoginManager] [SessionId: DDD0421EC93BDE9195A5DFDD5A59F7E5] Calling login-module...

12:23:39,797 DEBUG [KerberosLoginModule] login...

12:23:39,797 DEBUG [KerberosLoginModule] received SPNEGO Authorization-Header: Negotiate TlRMT...
12:23:39,797 ERROR [KerberosLoginModule] login failed! Defective token detected (Mechanism level: GSSHeader did not find the right tag)
12:23:39,797 DEBUG [LoginManager] [SessionId: DDD0421EC93BDE9195A5DFDD5A59F7E5] LoginModule done in 0 ms
12:23:39,797 INFO  [LoginManager] [SessionId: DDD0421EC93BDE9195A5DFDD5A59F7E5] No user-data available.
12:23:39,797 DEBUG [LoginManager] [SessionId: DDD0421EC93BDE9195A5DFDD5A59F7E5] Loginprocess done in 0 ms

Here is the log entries of the client where he just receives a white screen.

11:48:00,051 DEBUG [LoginManager] [SessionId: 2E5B7529A4AB05FCED5FBAA51902F093] Trying to login user using login-package 'Kerberos'...

11:48:00,051 DEBUG [LoginManager] [SessionId: 2E5B7529A4AB05FCED5FBAA51902F093] Calling login-module...

11:48:00,051 DEBUG [KerberosLoginModule] login...

11:48:00,051 DEBUG [KerberosLoginModule] sending SPNEGO authentication request. WWW-Authenticate: Negotiate
11:48:00,051 DEBUG [AuthorizeTag] [SessionId: 2E5B7529A4AB05FCED5FBAA51902F093] Processing handshake...
11:48:51,205 DEBUG [ManagerBase] Start expire sessions StandardManager at 1341481731205 sessioncount 5
11:48:51,205 DEBUG [ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0


What is interesting is that the working attempt has "received SPNEGO Authorization-Header: Negotiate TlRMT..." whereas the non-working attempt has "sending SPNEGO authentication request. WWW-Authenticate: Negotiate".

Can someone provide insight into what the log entries mean from the Kerberos Module? Could it be that the customer needs to do something more to get this working?

Thanks!

0 Kudos
4 Replies
feddersen
Community Manager

"sending SPNEGO authentication request. WWW-Authenticate: Negotiate".

is indicating that the browser doesn't send back the necessary response, which would be the "received SPNEGO Authorisation Header ..." message. Check that Kerberos is configured correctly on these machines.

0 Kudos
isenberg
I'm new here

12:23:39,797 DEBUG [KerberosLoginModule] received SPNEGO Authorization-Header: Negotiate TlRMT...

12:23:39,797 ERROR [KerberosLoginModule] login failed! Defective token detected (Mechanism level: GSSHeader did not find the right tag)


A ticket startingwith "TlR" is of type NTLM SPNEGO not Kerberos SPNEGO, as Kerberos tickets starts with "Yll". That means your browser ist not sending a Kerberos ticket and in this case IE falls back to NTLM which is not supported by our module.

Check with "klist" on the client (available since Windows 7), if a ticket for the web server URL was successfully aquired. Also try with another browser (Firefox, Chrome) to check if the client can access the Kerberos realm.

0 Kudos

Hi,

We have asked out client to try using Firefox. We provided them the config settings for about:config.

For us and another test case, this also works.

Our client though is still receiving the "WWW-Authenticate: Negotiate" and still seeing a white page.

We think that maybe something is configured differently on the machines. Since re-lounge is more a software agency - could someone from FirstSpirit contact our client to determine how they can correctly set this so it works with the personalization module?

Thanks!

0 Kudos

Hi,

please contact your e-Spirit Account Manager for a support request.

0 Kudos