Problem authenticating from remote browser, works locally

1,098 views
Skip to first unread message

Ray Sutton

unread,
Jan 14, 2015, 11:44:37 AM1/14/15
to waffle...@googlegroups.com
Hello,

Just started with Waffle, complete windows security novice, I'm having a problem authenticating users on a different sub-net to the server that I don't understand, any insights appreciated. I’ve copied the jars to a the lib directory of a tomcat 8.0.15 install that has been configured to run in full SSL mode with 8080 redirecting through 8443 at the server level. Without authentication everything works as expected.

Based on the Waffle-filter example I added the code below to the server level web.xml file. Having done so Waffle requests authentication when the server is accessed via localhost (remote desktop into the box) and I can see my AD groups listed in the console and all appears well. However when I attempt to log in from my laptop (which is a macbook pro) as a remote connection I get an immediate exception (HTTP 500 with message login attempt failed. logging in from another 2008 server on the same subnet as the tomcat server works but asking a Windows user on a different subnet to attempt login also failed with a slightly different message indicating the token was invalid. 

Exception in log for attempt from MBP

13-Jan-2015 16:32:43.987 SEVERE [http-nio-8443-exec-11] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [jsp] in context with path [] threw exception
 com.sun.jna.platform.win32.Win32Exception: The logon attempt failed
        at waffle.windows.auth.impl.WindowsAuthProviderImpl.acceptSecurityToken(WindowsAuthProviderImpl.java:134)
        at waffle.servlet.spi.NegotiateSecurityFilterProvider.doFilter(NegotiateSecurityFilterProvider.java:103)
        at waffle.servlet.spi.SecurityFilterProviderCollection.doFilter(SecurityFilterProviderCollection.java:130)
        at waffle.servlet.NegotiateSecurityFilter.doFilter(NegotiateSecurityFilter.java:98)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:613)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:537)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1085)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658)
        at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1556)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1513)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)

Web.XML addition (added just before closing tag)

        <filter>
                <filter-name>SecurityFilter</filter-name>
                <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
                <init-param>
                                <param-name>principalFormat</param-name>
                                <param-value>fqn</param-value>
                </init-param>
                <init-param>
                                <param-name>roleFormat</param-name>
                                <param-value>both</param-value>
                </init-param>
                <init-param>
                                <param-name>allowGuestLogin</param-name>
                                <param-value>true</param-value>
                </init-param>
                <init-param>
                                <param-name>impersonate</param-name>
                                <param-value>true</param-value>
                </init-param>
                <init-param>
                                <param-name>securityFilterProviders</param-name>
                                <param-value>
                        waffle.servlet.spi.BasicSecurityFilterProvider
                        waffle.servlet.spi.NegotiateSecurityFilterProvider
                                </param-value>
                </init-param>
                <init-param>
                                <param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
                                <param-value>
                        Negotiate
                        NTLM
                                </param-value>
                </init-param>
                <init-param>
                                <param-name>waffle.servlet.spi.BasicSecurityFilterProvider/realm</param-name>
                                <param-value>WaffleFilterDemo</param-value>
                </init-param>
        </filter>

        <filter-mapping>
          <filter-name>SecurityFilter</filter-name>
          <url-pattern>/*</url-pattern>
        </filter-mapping>


Any help you can provide is appreciated,

Thanks

Ray

Daniel Doubrovkine

unread,
Jan 14, 2015, 2:48:30 PM1/14/15
to waffle...@googlegroups.com
So, generally these things should be troubleshooted via "normal" troubleshooting and each case will be different. I always start here: https://github.com/dblock/waffle/blob/master/Docs/Troubleshooting.md

How is the mac joined to the domain? Assuming it is. I am not familiar with the recent tools available on OSX for this, and then the browser is not IE and probably needs special settings to do NTLM. Generally curious about how this works :)

The other subnet, the first thing to find out whether this is choosing to do NTLM or Kerberos and then if it's the latter you need to make sure there's a proper SPN in place. All that is described in the troubleshooting steps.

Let us know what you see.


--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

Ray Sutton

unread,
Jan 15, 2015, 6:48:41 PM1/15/15
to waffle...@googlegroups.com
Thanks for the pointers,

I now believe this problem is specific to the Safari Browser, I had my co-worker retest with firefox after closing & reopening, it worked I believe they fat-fingured the password the first time. I also tried from Firefox on OSX (which hadn't occurred to me to do: read ID10T user) it works there as well, I also downloaded and installed Opera that worked to. The site is however inaccessible from safari on either OS X (Mavericks) or Windows 7 (VM on same machine). 

I did find this reference http://apple.stackexchange.com/questions/118150/safari-7-cant-connect-to-intranet-using-http-authentication to an unrelated problem with safari, based on this for the hell of it I tried forcing NTLM by changing the init parameter in the filter definition to 

<init-param>
<param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
<param-value>
NTLM
</param-value>
</init-param>

i.e. not really allowing it to negotiate. Having made this change it worked in safari on OS X, firefox and Opera still work as well, I've yet to try windows client or retest safari after a restarting it (I'd lose this post) but have no reason to expect problems in either scenario.

Hope the fix proves useful to someone  

Daniel Doubrovkine

unread,
Jan 16, 2015, 7:09:22 AM1/16/15
to waffle...@googlegroups.com
That makes a lot of sense. NTLM, btw, is not any less secure than Kerberos.

Greg Thomas

unread,
Jun 22, 2016, 9:52:57 AM6/22/16
to waffle
> That makes a lot of sense. NTLM, btw, is not any less secure than Kerberos.

I'm not sure MS would agree.  http://msdn.microsoft.com/en-us/library/cc236715(v=PROT.10).aspx suggests "applications are generally advised not to use NTLM".

Daniel Doubrovkine

unread,
Jun 22, 2016, 2:20:11 PM6/22/16
to waffle...@googlegroups.com
You're probably right, my information is fairly old from when I was allowed into building 41 :)

On Wed, Jun 22, 2016 at 9:52 AM, Greg Thomas <greg.d...@gmail.com> wrote:
> That makes a lot of sense. NTLM, btw, is not any less secure than Kerberos.

I'm not sure MS would agree.  http://msdn.microsoft.com/en-us/library/cc236715(v=PROT.10).aspx suggests "applications are generally advised not to use NTLM".

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages