IIS, Websphere Failing with Invalid token supplied error #1406
Comments
|
Is it possible for you to try the latest with java 8? I believe there was a lot of work in more recent cuts that fixed various issues that were not accurate. I don't recall specifically if NTLM but our change log would denote what changed in recent versions. If you could test on latest and confirm it works, we could back port a fix to older jdk 7 release if needed. |
|
Hi, many thanks for your reply. Currently, all of our applications are legacy and based on older java, websphere versions. I have asked with team if this is possible, but this would be hard to try with new java version as this would require upgrade of other versions as well. Meanwhile I would request if community has seen such issues with the above use case for the Waffle 1.8.3 or newer versions. Is anyone here following this architecture please ? |
|
Hi @hazendaz and community, The issue has been identified on IIS we have Windows Authentication mode enabled which was trapping Type 1 messages and sending back Type 2. While, application server was getting Type 3 tokens only resulting into invalid token supplied error. However our authentication calls are still failing for application URL e.g. http:https://myurl.com with Invalid logon attempt failed for Type 3 response sent back by client whereas calls through IP addresses/ hostname and localhost are passing. Attaching the logs for Non-working trace and Working trace . @dblock could you please advise here, any help would be appreciated. Thanks, |
It has been years for me since I knew anything about windows authentication, sorry :( |
Hi,
We are trying to integrate Waffle 1.8.3 NTLM authentication (Negotiate) into one of our legacy application i.e., based on java v7. We have the following existing application architecture i.e, IIS web server receives HTTP requests on port 80 from client and passes on to the application server listening on port 9080.
Earlier we were using JCIFS but with upgraded domain controllers it ceases to exist and has been suggested to go with Waffle.
But it is failing continuously when the requests are passed from port 80, i.e. 10.106.x.x:80/AppLoginUrl or hostname failing with the error “ The token supplied to the function is invalid” while 10.106.x.x:9080/AppLoginUrl is having successful SSO and authentication calls.
Have gone through various discussions and chats, where this is suggested that the IIS HTTP Web server is behaving as man in the middle where browser is thinking to signing off against i.e. breaking off NTLM authentication. But the protocol was used with JCIFS, trying to replace the library to fulfil that. As we are using NTLM authentication do we require SPN to be configured? I have deployed the Waffle sample filter application and that too is following the same pattern.
Could you please confirm if this is possible and with what changes at IIS/ Websphere level please ? (probably this is the ideal case as to put in HTTP Web server in front of Java servers, can this be possible with Waffle) Attached the negotiate Failure logs , I suspect the failure is not following 3 way handshake call or if following then contains pre-validated token. Your immediate response would be appreciated please (posted in waffle group conversation also).
The text was updated successfully, but these errors were encountered: