spring-security-kerberos icon indicating copy to clipboard operation
spring-security-kerberos copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Error message "Negotiate Header was invalid"

Open rwinch opened this issue 9 years ago • 4 comments

hello,

we are seeing occasionally below error in a number of applications using spring security

Error:

Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
2016-04-07T09:45:38.000+00:00 [App/0] OUT org.springframework.security.authentication.BadCredentialsException: Kerberos validation not successful
2016-04-07T09:45:38.000+00:00 [App/0] OUT at com.fil.dc.authentication.provider.KerberosServiceAuthenticationProvider.authenticate(KerberosServiceAuthenticationProvider.java:44) ~[dc-Authentication-Api-1.0.0.jar:na] 

Caused by: org.ietf.jgss.GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
2016-04-07T09:45:35.000+00:00 [App/0] OUT at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97) ~[na:1.8.0_71-]
2016-04-07T09:45:35.000+00:00 [App/0] OUT at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306) ~[na:1.8.0_71-]
2016-04-07T09:45:35.000+00:00 [App/0] OUT at org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:170) ~[spring-security-kerberos-core-1.0.1.RELEASE.jar:1.0.1.RELEASE] 


http://forum.spring.io/forum/spring-projects/security/121613-spring-security-spnego-kerberos-sso

Since the application is deployed in cloud foundry and the error is occasional we have ruled out some of the suggestions on web i.e.

  1. application and ARS deployed on same server
  2. network connectivity issues - since we have not seen any firewall drops.

I found this archived link of spring forums with no conclusive solution before the forums were closed. http://forum.spring.io/forum/spring-projects/security/121613-spring-security-spnego-kerberos-sso.

Please can you advise if an issue was found with a solution or guide towards a direction because it seems instead of SPNEGO, NTLM is being used.

rwinch avatar Apr 07 '16 20:04 rwinch

any luck with the above issue

mehrotra-prateek avatar Apr 16 '16 12:04 mehrotra-prateek

Technically, SPNEGO is being used. What's likely happening is that the client only seems to support NTLM and that is the negotiated authentication sub-mechanism between client and server. I am seeing a similar issue, but it would appear that the SPNEGO filter not is handling the NTLM mechanism at all.

I'm running into a similar issue where I have a client that doesn't yet support Kerberos and only supports NTLM. Thus, I'm in the same boat you are.

damnhandy avatar Apr 27 '16 13:04 damnhandy

I've done some digging and it appears to have nothing to do with NTLM, but how the user ID is presented. If NTLM token uses a username in the form of "someuser", it doesn't work. But, if you format the user credentials in the form of DOMAIN\someuser or [email protected] all is good. We've had success in cases where the user is prompted for credentials and used the DOMAIN\someuser format.

damnhandy avatar May 04 '16 13:05 damnhandy

Hi Danhandy. i also facing same issue. can you help me how to solve this iisue?

karuppasamy20 avatar Jul 14 '20 04:07 karuppasamy20