Windows Authentication Pop-Up using WAFFLE and JBoss/Tomcat

913 views
Skip to first unread message

shark...@gmail.com

unread,
Jun 5, 2013, 10:00:44 AM6/5/13
to waffle...@googlegroups.com

I have an evironment I am trying to setup using WAFFLE, but i continue to get a Windows authentication pop-up bic when I try to access the application.  Here is the server-side log:


2013-06-05 08:36:28,637 INFO  [waffle.servlet.NegotiateSecurityFilter] GET /public_html/controller, contentlength: -1
2013-06-05 08:36:28,637 INFO  [waffle.servlet.NegotiateSecurityFilter] authorization required
2013-06-05 08:36:28,652 INFO  [waffle.servlet.NegotiateSecurityFilter] GET /public_html/controller, contentlength: -1
2013-06-05 08:36:28,652 INFO  [waffle.servlet.spi.NegotiateSecurityFilterProvider] security package: Negotiate, connection id: 10.64.4.34:50692
2013-06-05 08:36:28,668 INFO  [waffle.servlet.spi.NegotiateSecurityFilterProvider] token buffer: 2843 byte(s)
2013-06-05 08:36:28,824 INFO  [waffle.servlet.spi.NegotiateSecurityFilterProvider] continue token: oXwweqADCgEBoQsGCSqGSIL3EgECAqJmBGRgYgYJKoZIhvcSAQICAwB+UzBRoAMCAQWhAwIBHqQRGA8yMDEzMDYwNTEzMzYyOFqlBQIDBHEOpgMCASmpERsPQ0NDLkNPT1BDQU0uQ09NqhMwEaADAgEBoQowCBsGYXBwdHJp
2013-06-05 08:36:28,824 INFO  [waffle.servlet.spi.NegotiateSecurityFilterProvider] continue required: true
2013-06-05 08:36:28,840 INFO  [waffle.servlet.NegotiateSecurityFilter] GET /public_html/controller, contentlength: -1
2013-06-05 08:36:28,840 INFO  [waffle.servlet.spi.NegotiateSecurityFilterProvider] security package: Negotiate, connection id: 10.64.4.34:50692
2013-06-05 08:36:28,840 INFO  [waffle.servlet.spi.NegotiateSecurityFilterProvider] token buffer: 2786 byte(s)
2013-06-05 08:36:28,840 INFO  [waffle.servlet.spi.NegotiateSecurityFilterProvider] continue token: oW8wbaADCgEBomYEZGBiBgkqhkiG9xIBAgIDAH5TMFGgAwIBBaEDAgEepBEYDzIwMTMwNjA1MTMzNjI4WqUFAgMErhemAwIBKakRGw9DQ0MuQ09PUENBTS5DT02qEzARoAMCAQGhCjAIGwZhcHB0cmk=
2013-06-05 08:36:28,840 INFO  [waffle.servlet.spi.NegotiateSecurityFilterProvider] continue required: true

 

Here are my settings in the web.xml for WAFFLE:

   <!-- ================== WAFFLE Filter Configuration ==================== -->
   <filter>
       <filter-name>WaffleSecurityFilter</filter-name>
       <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
       <init-param>
         <param-name>principalFormat</param-name>
         <param-value>fqn</param-value>
       </init-param>
       <init-param>
         <param-name>roleFormat</param-name>
         <param-value>both</param-value>
       </init-param>
       <init-param>
         <param-name>allowGuestLogin</param-name>
         <param-value>false</param-value>
       </init-param>
       <init-param>
         <param-name>securityFilterProviders</param-name>
         <param-value>waffle.servlet.spi.NegotiateSecurityFilterProvider</param-value>
       </init-param>
       <init-param>
         <param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
         <param-value>Negotiate</param-value>
       </init-param>
     </filter>
     <filter-mapping>
       <filter-name>WaffleSecurityFilter</filter-name>
       <url-pattern>/*</url-pattern>
     </filter-mapping>


This JBoss configuration, including these WAFFLE settings, are a direct copy from another installation that does work properly.

When we put in the user/password credentials into the pop-up, we just get propmpted for them again.  In fact this happens several times, then it will give us a separate authentication error page.

The browser is already set with the "Enable Windows Intergrated Authentication" as checked, and the application server has been added to the Local Intranet zone.

Any ideas?

Thanks in Advance!

Daniel Doubrovkine

unread,
Jun 5, 2013, 5:23:23 PM6/5/13
to waffle...@googlegroups.com
You should go through the regular troubleshooting steps in https://github.com/dblock/waffle/blob/master/Docs/Troubleshooting.md, most likely this is an SPN issue.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 



--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

Message has been deleted

shark...@gmail.com

unread,
Jun 5, 2013, 6:23:46 PM6/5/13
to waffle...@googlegroups.com
I went thought the standard trouble shooting and did update the IE browser setting under Local Intranet to check Automatically Detect Intanet network. But, that did not appear to help.
We also went through the WAFFLE issues that had been previously logged and found some that were very similar. But, the solutions for the ones that were similar we3re already in place here.
One area that I am not that aware of is Kerberos. I had an IT person making some SPN updates earlier, but that did not resolve the issues. I just checked my SPN setting on a machine, but do not know what they mean. What should I see for SPN?

Daniel Doubrovkine

unread,
Jun 5, 2013, 6:45:14 PM6/5/13
to waffle...@googlegroups.com
That's kinda the crux of the problem. I think you really need to read up on SPNs, http://msdn.microsoft.com/en-us/library/windows/desktop/ms677949(v=vs.85).aspx is a decent start.

This list can definitely help you, start by saying which accounts your client/server run as, then what the output of setspn -L tells you.

 
 
 
 

On Wednesday, June 5, 2013 4:23:23 PM UTC-5, Daniel Doubrovkine wrote:
You should go through the regular troubleshooting steps in https://github.com/dblock/waffle/blob/master/Docs/Troubleshooting.md, most likely this is an SPN issue.

Reply all
Reply to author
Forward
0 new messages