NegotiateSecurityFilter is not working from remote systems. #620
Comments
|
Interestingly if I write a simple java program with HttpUrlConnection and run it from the remote system, auth correctly works. Seems like browser is somehow dropping the connection/waffle is starting afresh in the middle of the handshake process. Tried setting correct proxies, but didn't help the case. |
|
Works after setting filter to only NTLM. Instead of both NTLM and Negotiate. Had to set the property in application.properties |
|
I am facing the same issue. Can you please specify the properties you added in application.properties. |
|
|
For anyone who finds this issue from searching I was having this same exception and what fixed it for us was adding the SPN HTTP/[domain] and HTTPS/[domain] for the server service account. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am running the "waffle-spring-boot-filter2" demo on my system and we have NTLM based authentication set up. When I am visiting http:https://localhost:8080/ or http:https://anandara01:8080/ from local machine, Waffle completes auth and provides correct user id. When I am hitting http:https://anandara01:8080/ from another machine on same domain, and logged in using other/own account, the auth fails with "error logging in user: com.sun.jna.platform.win32.Win32Exception: The token supplied to the function is invalid"
This is the debug output of flow that works ( from local machine)
2018-05-07 12:52:15.836 DEBUG 11896 --- [nio-8080-exec-1] waffle.spring.NegotiateSecurityFilter : GET /, contentlength: -1 2018-05-07 12:52:15.851 DEBUG 11896 --- [nio-8080-exec-1] w.s.NegotiateSecurityFilterEntryPoint : [waffle.spring.NegotiateEntryPoint] commence 2018-05-07 12:52:15.857 DEBUG 11896 --- [nio-8080-exec-2] waffle.spring.NegotiateSecurityFilter : GET /, contentlength: -1 2018-05-07 12:52:15.858 DEBUG 11896 --- [nio-8080-exec-2] w.s.spi.NegotiateSecurityFilterProvider : security package: Negotiate, connection id: 0:0:0:0:0:0:0:1:50018 2018-05-07 12:52:15.868 DEBUG 11896 --- [nio-8080-exec-2] w.s.spi.NegotiateSecurityFilterProvider : token buffer: 123 byte(s) 2018-05-07 12:52:15.945 DEBUG 11896 --- [nio-8080-exec-2] w.s.spi.NegotiateSecurityFilterProvider : continue token: <<.......redacted..........>> 2018-05-07 12:52:15.945 DEBUG 11896 --- [nio-8080-exec-2] w.s.spi.NegotiateSecurityFilterProvider : continue required: true 2018-05-07 12:52:15.948 DEBUG 11896 --- [nio-8080-exec-3] waffle.spring.NegotiateSecurityFilter : GET /, contentlength: -1 2018-05-07 12:52:15.948 DEBUG 11896 --- [nio-8080-exec-3] w.s.spi.NegotiateSecurityFilterProvider : security package: Negotiate, connection id: 0:0:0:0:0:0:0:1:50018 2018-05-07 12:52:15.948 DEBUG 11896 --- [nio-8080-exec-3] w.s.spi.NegotiateSecurityFilterProvider : token buffer: 121 byte(s) 2018-05-07 12:52:15.962 DEBUG 11896 --- [nio-8080-exec-3] w.s.spi.NegotiateSecurityFilterProvider : continue token: <<.......redacted..........>> 2018-05-07 12:52:15.962 DEBUG 11896 --- [nio-8080-exec-3] w.s.spi.NegotiateSecurityFilterProvider : continue required: false 2018-05-07 12:52:16.002 DEBUG 11896 --- [nio-8080-exec-3] waffle.spring.NegotiateSecurityFilter : logged in user: NTNET\anandara (S-1-5-21-143744227-<<.......redacted..........>>) 2018-05-07 12:52:16.231 DEBUG 11896 --- [nio-8080-exec-3] waffle.spring.NegotiateSecurityFilter : roles: NTNET\anandara, <<.......redacted..........>> 2018-05-07 12:52:16.231 INFO 11896 --- [nio-8080-exec-3] waffle.spring.NegotiateSecurityFilter : successfully logged in user: NTNET\anandaraThis is the debug flow that fails (from remote machine):
2018-05-07 12:58:48.667 DEBUG 11896 --- [nio-8080-exec-5] waffle.spring.NegotiateSecurityFilter : GET /, contentlength: -1 2018-05-07 12:58:48.668 DEBUG 11896 --- [nio-8080-exec-5] w.s.NegotiateSecurityFilterEntryPoint : [waffle.spring.NegotiateEntryPoint] commence 2018-05-07 12:58:48.934 DEBUG 11896 --- [nio-8080-exec-6] waffle.spring.NegotiateSecurityFilter : GET /, contentlength: -1 2018-05-07 12:58:48.935 DEBUG 11896 --- [nio-8080-exec-6] w.s.spi.NegotiateSecurityFilterProvider : security package: Negotiate, connection id: 10.26.214.92:54102 2018-05-07 12:58:48.935 DEBUG 11896 --- [nio-8080-exec-6] w.s.spi.NegotiateSecurityFilterProvider : token buffer: 40 byte(s) 2018-05-07 12:58:48.936 DEBUG 11896 --- [nio-8080-exec-6] w.s.spi.NegotiateSecurityFilterProvider : continue token: TlRM<<.......redacted..........>> 2018-05-07 12:58:48.936 DEBUG 11896 --- [nio-8080-exec-6] w.s.spi.NegotiateSecurityFilterProvider : continue required: true 2018-05-07 12:58:49.179 DEBUG 11896 --- [nio-8080-exec-7] waffle.spring.NegotiateSecurityFilter : GET /, contentlength: -1 2018-05-07 12:58:49.180 DEBUG 11896 --- [nio-8080-exec-7] w.s.NegotiateSecurityFilterEntryPoint : [waffle.spring.NegotiateEntryPoint] commence 2018-05-07 12:58:49.422 DEBUG 11896 --- [nio-8080-exec-8] waffle.spring.NegotiateSecurityFilter : GET /, contentlength: -1 2018-05-07 12:58:49.423 DEBUG 11896 --- [nio-8080-exec-8] w.s.spi.NegotiateSecurityFilterProvider : security package: NTLM, connection id: 10.26.214.92:54102 2018-05-07 12:58:49.423 DEBUG 11896 --- [nio-8080-exec-8] w.s.spi.NegotiateSecurityFilterProvider : token buffer: 40 byte(s) 2018-05-07 12:58:49.431 WARN 11896 --- [nio-8080-exec-8] waffle.spring.NegotiateSecurityFilter : error logging in user: com.sun.jna.platform.win32.Win32Exception: The token supplied to the function is invalidI can see the negotiateEntryPoint being called midway in failing flow. I would appreciate any help regarding how to get it working for remote machines. Or is this a known issue or some bad config on my end?
N.B. Using JCIFS filter in web.xml of spring allows me to proceed with auth from remote machines too. So, I suppose this is not a bad config on my end.
Could this be possibly related to this issue? #312
The text was updated successfully, but these errors were encountered: