Waffle server and WCF client - error logging in user: The token supplied to the function is invalid.

Elišák a Filinda Půbalovi

unread,

Feb 6, 2014, 4:16:58 AM2/6/14

to waffle...@googlegroups.com

Hello,

I have common stack - Tomcat7, Spring3, SpringSecurity2, Waffle 1.5 (waffle-spring-security2).

<bean id="waffleWindowsAuthProvider" class="waffle.windows.auth.impl.WindowsAuthProviderImpl"/>

<bean id="negotiateSecurityFilterProvider" class="waffle.servlet.spi.NegotiateSecurityFilterProvider">
  <constructor-arg ref="waffleWindowsAuthProvider"/>
  <property name="protocols">
   <list>
    <value>NTLM</value>
    <value>Negotiate</value>
   </list>
  </property>
</bean>

This works with IE and Chrome.

IE use NTLM, Chrome choose Negotiate.

But now I create client in C# (WCF).

Again common configuration.

binding.Security.Mode = BasicHttpSecurityMode.TransportCredentialOnly;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;

// binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Ntlm;
client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Identification;

With HttpClientCredentialType.Ntlm(=ntml) WCF can't connect (error logging in user: The token supplied to the function is invalid.)

With HttpClientCredentialType.Windows (=negotiate) same error.

I find out that HttpClientCredentialType.Windows (=negotiate) only works when I run Tomcat as windows service.

http://www.visualsvn.com/support/topic/00052/

This is working workaround.

Anyone can help me configure Waffle or WCF make it work as in IE or Chrome (out of the box, no additional configuration).

08:24:26 DEBUG http-apr-8080-exec-2:null [w.s.NegotiateSecurityFilterEntryPoint] - [waffle.spring.NegotiateEntryPoint] commence
08:24:26 DEBUG http-apr-8080-exec-4:null [w.s.s.NegotiateSecurityFilterProvider] - security package: Negotiate, connection id: 10.0.0.105:57808
08:24:26 DEBUG http-apr-8080-exec-4:null [w.s.s.NegotiateSecurityFilterProvider] - token buffer: 119 byte(s)
08:24:26 DEBUG http-apr-8080-exec-4:null [w.s.s.NegotiateSecurityFilterProvider] - continue token: oYHcMIHZoAMKAQGhDAYKKwYBBAGCNwICCqKBwwSBwE5UTE1TU1AAAgAAAAwADAA4AAAAFcKZ4v7Ok/cGmBPIoI1A1QsAAAB8AHwARAAAAAYC8CMAAAAPTQBBAFIAQgBFAFMAAgAMAE0AQQBSAEIARQBTAAEACgBQAFUAQgBBAEwABAASAG0AYQByAGIAZQBzAC4AYwB6AAMAHgBwAHUAYgBhAGwALgBtAGEAcgBiAGUAcwAuAGMAegAFABIAbQBhAHIAYgBlAHMALgBjAHoABwAIAEv3P9kUI88BAAAAAA==
08:24:26 DEBUG http-apr-8080-exec-4:null [w.s.s.NegotiateSecurityFilterProvider] - continue required: true
08:24:26 DEBUG http-apr-8080-exec-6:null [w.s.s.NegotiateSecurityFilterProvider] - security package: Negotiate, connection id: 10.0.0.105:57809
08:24:26 DEBUG http-apr-8080-exec-6:null [w.s.s.NegotiateSecurityFilterProvider] - token buffer: 121 byte(s)
08:24:26 WARN http-apr-8080-exec-6:null [w.s.NegotiateSecurityFilter] - error logging in user: The token supplied to the function is invalid.

Daniel Doubrovkine

unread,

Feb 6, 2014, 7:57:28 AM2/6/14

to waffle...@googlegroups.com

I suspect that either WCF introduces an extra "hop" or at least uses a different kind of logon context to initiate the Negotiate protocol. When you use a browser, you use the logon context of an interactive session, but who knows what WCF does and whether it has multiple processes involved in this dance.

Let us know if you find a solution, this belongs in the FAQ.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

venkatuk5

unread,

Jun 8, 2017, 5:35:22 PM6/8/17

to waffle

Hi Daniel,

In server side can we accept the token from client and process to get the identity. what was the steps to do with Negotiate.

Reply all

Reply to author

Forward