Negotiate protocol problem (Waffle 1.4)

631 views
Skip to first unread message

Milán Horváth

unread,
Mar 4, 2014, 6:31:53 PM3/4/14
to waffle...@googlegroups.com
Hi Daniel

I have 2 questions:

1: is it possible to disable Negotiate protocol in Spring-Security Negotiate Filter? If yes, how? (a config example would be good)
2: the Negotiate protocol is not working as expected in Spring-Security Negotiate Filter.
In Internet Explorer the authentication (with Negotiate protocol) is not working. see the log with IEHTTPHeaders in IE.log attached.

But with wfetch.exe it seems to work fine.
See attached wfetch.log.

Do you have an idea?
Thanks in advance: Milan

Comment:
If I disable Negotiate in the Waffle Servlet Security Filter, NTLM is working fine.
That's why I wish to disable negotiate in Spring-Security Negotiate (NTLM and Kerberos) Filter (at least for testing purposes).
I'm using Waffle 1.4 (java 5) with spring security 2.0
wfetch.log
IE.log

Milán Horváth

unread,
Mar 5, 2014, 2:59:05 AM3/5/14
to waffle...@googlegroups.com
update:

Realized (after some net research) that by IP address (instead of domain name) the SSO is working.
See waffle log + iehttpheaders log in attatched file
IE_log+waffle_log_by_IP_success.log

What I dont see from the log that WAFFLE in this case used kerberos or NTLM protocol?
(What i can see is it using negotiate protocol)

Thanks in advance: Milan
IE_log+waffle_log_by_IP_success.log

Daniel Doubrovkine

unread,
Mar 5, 2014, 10:13:34 AM3/5/14
to waffle...@googlegroups.com
There's an example right here of how to set the providers that the filter supports. Just remove Negotiate and it will force NTLM. 

Could you please PR a change to the documentation in Docs/spring describing how to do this once you have it all working?



	<bean id="negotiateSecurityFilterProvider" class="waffle.servlet.spi.NegotiateSecurityFilterProvider">


		<constructor-arg ref="waffleWindowsAuthProvider" />


		<property name="protocols">


			<list>


				<value>NTLM</value>


				<value>Negotiate</value>


			</list>


		</property>


	</bean>





Most likely your Negotiate problems are SPN issues. It works with IP because it will choose NTLM for that. See Troubleshooting Kerberos in https://github.com/dblock/waffle/blob/0482f9ed1413450b84d75f61aa09a19461833b2c/Docs/Troubleshooting.md


--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.



--

dB. | Moscow - Geneva - Seattle - New York
code.dblock.org - @dblockdotorg - artsy.net - github/dblock

Daniel Doubrovkine

unread,
Mar 5, 2014, 10:13:58 AM3/5/14
to waffle...@googlegroups.com
The only way to see that Waffle (Windows) chooses Kerberos is that those authorization headers are very long :)

Milán Horváth

unread,
Mar 5, 2014, 4:53:09 PM3/5/14
to waffle...@googlegroups.com
Thx for the answers!

I tried (before your answer) with the following config (see below) and it worked.
Now I've tried with your code and it also works.
(Surely it is just spring config magic)
See both below.

"Could you please PR a change to the documentation in Docs/spring describing how to do this once you have it all working?"
You mean the roadmap to get kerberos going or the roadmap how to get rid of Kerberos? :)
Please provide a link where and how to "PR a change to the documentation in Docs/spring"
Thanks.


My config:
<bean id="negotiateSecurityFilterProvider" class="waffle.servlet.spi.NegotiateSecurityFilterProvider">
<constructor-arg ref="waffleWindowsAuthProvider" />
<property name="protocols" value="NTLM" />
</bean>


Your config:


	<bean id="negotiateSecurityFilterProvider" class="waffle.servlet.spi.NegotiateSecurityFilterProvider">
		<constructor-arg ref="waffleWindowsAuthProvider" />
		<property name="protocols">
			<list>
				<value>NTLM</value>
			</list>
		</property>
	</bean>
 
Daniel Doubrovkine
unread,
Mar 6, 2014, 8:21:14 AM3/6/14
to waffle...@googlegroups.com
That works too, but mine is more semantically correct because the protocols can be an array. Yours won't work for that.

Appreciate if you could please explain this in the docs and make a pull request.



cheers
dB.







-- 

You received this message because you are subscribed to the Google Groups "waffle" group.

To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.


Reply all
Reply to author
Forward
0 new messages