Microsoft SSPI error - Security System was unable to authenticate to the server HTTP/host because the server has completed the authentication, but the client authentication protocol Kerberos has not

Douglas E. Engert deengert at anl.gov
Mon Oct 3 10:33:42 EDT 2011 


On 10/3/2011 9:12 AM, Alon Bar-Lev wrote:
> Hello,
>
> I have configuration of active directory 2003 r2 sp3 working with
> linux mod_auth_kerb.
> I use SPNEGO for subversion.
> When using Linux all work great!
> When using Windows XP(and Windows 7) Firefox/IE/cifs client work great.
>
> Problem is subversion which uses neon, it get the following:

Googling for: neon SPNEGO
shows a lot of issues. Maybe you are seeing one of them?


> ---
> Running post_send hooks
> ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate oYGfMIG
> coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA
> DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u
> DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2
> auth: SSPI challenge.
> InitializeSecurityContext [fail] [80090304].
> sspi: initializeSecurityContext [failed] [80090304].
> ---
>
> At windows event log I see the following:
> ---
> Event Type:	Warning
> Event Source:	LSASRV
> Event Category:	SPNEGO (Negotiator)
> Event ID:	40962
> Date:		10/3/2011
> Time:		3:55:38 PM
> User:		N/A
> Computer:	VALON
> Description:
> The Security System was unable to authenticate to the server
> HTTP/correlux-gentoo.correlsense.com because the server has completed
> the authentication, but the client authentication protocol Kerberos
> has not.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> ---
>
> Had anyone seen this before?
> I tried many configurations, but without success:
> ---
> Gentoo
> ---
> dev-libs/openssl-1.0.0e ->  also downgraded to openssl-0.9.8f
> www-servers/apache-2.2.21
> www-apache/mod_auth_kerb-5.4 ->  also downgraded to mod_auth_kerb-5.1
> net-fs/samba-3.5.11
> app-crypt/mit-krb5-1.9.1 ->  also downgraded to 1.6.3
> ---
>
> The strange thing is that I have centos server on the same network
> with *MUCH* older packages and it does work...
> ---
> CentOS
> ---
> openssl-0.9.8e-20.el5
> httpd-2.2.3-53.el5.centos.1
> mod_ssl-2.2.3-53.el5.centos.1
> mod_auth_kerb-5.1-3.el5
> samba-3.0.33-3.29.el5_7.4
> krb5-workstation-1.6.1-62.el5
> ---
>
> I cannot reach this old state at Gentoo, but I cannot explain the
> difference between the two machines, I use the same procedure to add
> them to the domain:
> <edit smb.conf>
> net ads join
> net ads keytab create
> net ads keytab add HTTP cifs
>
> The same configuration for both.
>
> I don't know how to activate logs at Microsoft end...
> I tried to add Lsa\Kerberos\Parameters debug and logging keys but
> nothing is generated.
>
> Any clue?
>
> Thanks,
> Alon.
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list