com.sun.jna.platform.win32.Win32Exception: The handle specified is invalid

[Francois Eyl]

Hi guys,

We are getting an issue getting the NTLM negotiation properly work on some environments where it works on others. It appears to be a security issue, but we can't determine what's going on.

Here is one of our environment details where it does not work:

The web  server is running on Windows 8.1 (x64) as a domain user (which is local admin) and should have the kerberos delegation registered ("setspn -L username" shows that the user is correctly registered). IE security seems to be properly setup according your recommandations. Our test is being made on same machine with the current user logged in (same who is running the web server service).

The behavior is different whether we use IE (11) or Chrome. So what happens on both, the browser prompt for credential instead of passthrough. On Chrome when user fills the prompt and enters correct credentials Chrome does the negotiation correctly (even if it should just passthrough with any prompt). However, IE prompts but even with the correct credentials entered it just fails and always return to the prompt and in the log we receive that "com.sun.jna.platform.win32.Win32Exception: The handle specified is invalid" message. Here is the stack trace :

[15-09-30 09:21:19.624] [TRACE] (NegotiateSecurityFilter     128) {} java.io.IOException: com.sun.jna.platform.win32.Win32Exception: The handle specified is invalid

               at waffle.servlet.spi.SecurityFilterProviderCollection.doFilter(SecurityFilterProviderCollection.java:165)

               at waffle.servlet.NegotiateSecurityFilter.doFilter(NegotiateSecurityFilter.java:122)

               at com.sma.sm.app.SmSecurityFilter.doFilter(SmSecurityFilter.java:77)

               at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)

               at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)

               at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)

               at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)

               at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)

               at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)

               at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)

               at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)

               at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)

               at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

               at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:52)

               at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)

               at org.eclipse.jetty.server.Server.handle(Server.java:497)

               at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)

               at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)

               at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)

               at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)

               at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)

               at java.lang.Thread.run(Unknown Source)

Caused by: com.sun.jna.platform.win32.Win32Exception: The handle specified is invalid

               at waffle.windows.auth.impl.WindowsAuthProviderImpl.acceptSecurityToken(WindowsAuthProviderImpl.java:141)

               at waffle.servlet.spi.NegotiateSecurityFilterProvider.doFilter(NegotiateSecurityFilterProvider.java:139)

               at waffle.servlet.spi.SecurityFilterProviderCollection.doFilter(SecurityFilterProviderCollection.java:163)

               ... 21 common frames omitted

Do you guys have any idea on what is going on.

Thanks,

Francois

[Daniel Doubrovkine]

Before we give wild theories, have you checked out https://github.com/dblock/waffle/blob/master/Docs/Troubleshooting.md?

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

[Francois Eyl]

Hi Daniel, yes we did.

Also, I have to mention that everything works when the service is running "localsystem".

Apparently the negotiation happened (token buffer: 121 bytes), but the login failed, log extract :

[15-09-30 11:05:57.731] [DEBUG] (NegotiateSecurityFilter     106) GET /, contentlength: -1 
[15-09-30 11:05:57.732] [DEBUG] (NegotiateSecurityFilterProvider 130) security package: Negotiate, connection id: fe80:0:0:0:f817:93c6:91ad:2ba%19:53675 
[15-09-30 11:05:57.732] [DEBUG] (NegotiateSecurityFilterProvider 138) token buffer: 121 byte(s) 
[15-09-30 11:05:57.769] [WARN ] (NegotiateSecurityFilter     127) error logging in user: com.sun.jna.platform.win32.Win32Exception: The handle specified is invalid 
[15-09-30 11:05:57.775] [TRACE] (NegotiateSecurityFilter     128) {} java.io.IOException: com.sun.jna.platform.win32.Win32Exception: The handle specified is invalid

We did use the IEHttpHeaders utility, but nothing shown until we cancel the credential prompt. Here is what get after we close the prompt window (cancel) :

POST /urstelemetry.asmx?MSTel-Client-Key=Pd4VhEnnauUUpC7vSU9eyQ%3d%3d&MSTel-MAC=Z4XCmMEE5gA%3d HTTP/1.1
Accept: text/*
Content-Type: text/xml; charset=utf-8
User-Agent: VCSoapClient
Host: t.urs.microsoft.com
Content-Length: 1501
DNT: 1
Cache-Control: no-cache
 
<T v="5"><G>4A72F430-B40C-4D36-A068-CE33ADA5ADF9</G><D>10.0.8110.6</D><C>11.00.9600.18036</C><OS>6.3.9600.0.0</OS><I>9.11.9600.18036</I><L>en-US</L><O>POST</O><ID>146B4539-5CF6-4A46-9D12-1E8D4E635C85</ID><URL>aHR0cDovL2FtdXJyYXkxOjgwODAvIyFsb2dpbg==</URL><RU>aHR0cDovL2FtdXJyYXkxOjgwODAv</RU><RI>fe80:0000:0000:0000:f817:93c6:91ad:02ba</RI><HIP>fe80:0000:0000:0000:f817:93c6:91ad:02ba</HIP><UI>398e687298325fd3946956e34e90bfd1185050be037863701db820c22c8608f8</UI><S>64</S><DI>126.40.30.47</DI><Y><T>B|0|100.0000</T><T>I|0|100.0000</T><T>D|0|95.0000</T><T>P|0|100.0000|6.5000</T><T>F|2|0.0700|0.0700|0.0070</T><T>R|0|100.0000</T><T>U|2|1.0000</T><T>W|0|0.5000</T><T>H|0|100.0000</T><T>O|0|100.0000</T><T>T|0|100.0000</T><T>PP|1|100.0000</T></Y><M>NOHN</M><Fs><F><URL>aHR0cDovL2FtdXJyYXkxOjgwODAv</URL><Z>NOHN</Z><H>410000|0|0|80000020|FC0|0,2</H><K>4c006f00670069006e003a005300690067006e0049006e003a00</K><T>TOP</T><HIP>fe80:0000:0000:0000:f817:93c6:91ad:02ba</HIP><SC/><SH>f06c4dadcdee55ab</SH><NS></NS><SSL/><SSLLen/><REDIR>2:aHR0cDovL2FtdXJyYXkxOjgwODAvP2F1dGg9cmVndWxhcg==;aHR0cDovL2FtdXJyYXkxOjgwODAv</REDIR></F><F><URL>YWJvdXQ6Ymxhbms=</URL><Z>NWGN</Z><H>C10000|0|0|20000020|1F80|0,0</H><K>3a003a00</K><T>FRAME</T><HIP>0.0.0.0</HIP><SC/><SH></SH><NS></NS><SSL/><SSLLen/><REDIR/></F><F><URL>aHR0cDovL2FtdXJyYXkxOjgwODAv</URL><Z>NWGN</Z><H>410000|0|0|20000020|1F80|0,0</H><K>3a003a00</K><T>FRAME</T><HIP>126.40.90.111</HIP><SC/><SH></SH><NS></NS><SSL/><SSLLen/><REDIR/></F></Fs><WA/><GS/><Err/></T>
 
HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Length: 1
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 30 Sep 2015 16:22:41 GMT

Thanks for your help,

Francois

--
You received this message because you are subscribed to a topic in the Google Groups "waffle" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/waffle-users/bD9dBwazdCQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to waffle-users...@googlegroups.com.

[Daniel Doubrovkine]

I think if you can run the service as localsystem it's better than a domain user that has admin access to the box.

I think the domain user under which your application is running does not hold a specific right or is explicitly denied a specific right. I believe you need "logon as a batch job", it's usually denied explicitly to administrators via "Deny log on as a batch job".

[Daniel Doubrovkine]

And yes, once you see a prompt auth has failed, no need to try further.

[Francois Eyl]

Hi Daniel,

Our domain admin told us that the user running the Windows Service has this right "logon as a batch job" - we even tried with an admin domain user, same result.

Do you have any other idea of what could cause that "java.io.IOException: com.sun.jna.platform.win32.Win32Exception: The handle specified is invalid" error?

We are running out of ideas and customers who use our product have security policy that disallow them to run a Windows Service as Local System, they have to run under a domain user...

Thanks for your help.

Francois

[Daniel Doubrovkine]

The more high privileged account you're going to try here, the more locked down that account will be for running as a service and impersonating users and logging in on their behalf.

I think the next steps is to explore ntlm/kerberos logging, there're links in https://github.com/dblock/waffle/blob/master/Docs/Troubleshooting.md.

[nicktes...@gmail.com]

Hello,

did you ever get this working? It's quite old now but I have had similar issues. Some things that might help. For me in the end I removed "Trust this user for delegation" from the account running the service and we also had the use AES 128 box checked on the user account which we unchecked. After we did this it started working for me. Not entirely sure why. When I was running wireshark the client always got KRB5KRB_AP_ERR_MODIFIED. Another thing I found which seemed promising, but in the end didn't help me but might help you is this change:

https://github.com/dblock/waffle/issues/268

Regards,

Nick

[Daniel Doubrovkine]

Nick,

Would be helpful to built together a good FAQ on this problem, maybe you can contribute?

Thanks,

dB.

--

You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Francois Eyl]

Thanks Nick for your feedback! No, we have not resolved this yet - our network/sys admin is in talk with Microsoft Support - it is taking a while to get them actually doing something. I'll forward this info to our guys and see if that solve the issue.

I'll keep you posted.

Thanks!

- Francois

You received this message because you are subscribed to a topic in the Google Groups "waffle" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/waffle-users/bD9dBwazdCQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to waffle-users...@googlegroups.com.

[Ramarao P]

Hi,

Is there any uodate on the issue? 

I have problem when i run the app server with windows service. 

I am getting the below error 

GenericException:com.sun.jna.platform.win32.Win32Exception: The handle specified is invalid.

Someone said that when we do the trust the delegation on service account. it fixes the issue. However my netowork security team won't provide the delegation to any service as it isn't secured. 

“Trust this user for delegation to any service (Kerberos only)”

Can you please help to resolve the issue? is there any specific service for delegation instead of any?