Microsoft SSPI error - Security System was unable to authenticate to the server HTTP/host because the server has completed the authentication, but the client authentication protocol Kerberos has not

Alon Bar-Lev alon.barlev at gmail.com
Mon Oct 3 10:47:23 EDT 2011 

Hi,

I already search for all information I could, read most of them.
I know neon is problematic, I had issues before.
All eventually resolved after a lot of tears, as Microsoft does not
support decent logging.

Alon

On Mon, Oct 3, 2011 at 4:33 PM, Douglas E. Engert <deengert at anl.gov> wrote:
>
>
> On 10/3/2011 9:12 AM, Alon Bar-Lev wrote:
>> Hello,
>>
>> I have configuration of active directory 2003 r2 sp3 working with
>> linux mod_auth_kerb.
>> I use SPNEGO for subversion.
>> When using Linux all work great!
>> When using Windows XP(and Windows 7) Firefox/IE/cifs client work great.
>>
>> Problem is subversion which uses neon, it get the following:
>
> Googling for: neon SPNEGO
> shows a lot of issues. Maybe you are seeing one of them?
>
>
>> ---
>> Running post_send hooks
>> ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate oYGfMIG
>> coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA
>> DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u
>> DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2
>> auth: SSPI challenge.
>> InitializeSecurityContext [fail] [80090304].
>> sspi: initializeSecurityContext [failed] [80090304].
>> ---
>>
>> At windows event log I see the following:
>> ---
>> Event Type:   Warning
>> Event Source: LSASRV
>> Event Category:       SPNEGO (Negotiator)
>> Event ID:     40962
>> Date:         10/3/2011
>> Time:         3:55:38 PM
>> User:         N/A
>> Computer:     VALON
>> Description:
>> The Security System was unable to authenticate to the server
>> HTTP/correlux-gentoo.correlsense.com because the server has completed
>> the authentication, but the client authentication protocol Kerberos
>> has not.
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>> ---
>>
>> Had anyone seen this before?
>> I tried many configurations, but without success:
>> ---
>> Gentoo
>> ---
>> dev-libs/openssl-1.0.0e ->  also downgraded to openssl-0.9.8f
>> www-servers/apache-2.2.21
>> www-apache/mod_auth_kerb-5.4 ->  also downgraded to mod_auth_kerb-5.1
>> net-fs/samba-3.5.11
>> app-crypt/mit-krb5-1.9.1 ->  also downgraded to 1.6.3
>> ---
>>
>> The strange thing is that I have centos server on the same network
>> with *MUCH* older packages and it does work...
>> ---
>> CentOS
>> ---
>> openssl-0.9.8e-20.el5
>> httpd-2.2.3-53.el5.centos.1
>> mod_ssl-2.2.3-53.el5.centos.1
>> mod_auth_kerb-5.1-3.el5
>> samba-3.0.33-3.29.el5_7.4
>> krb5-workstation-1.6.1-62.el5
>> ---
>>
>> I cannot reach this old state at Gentoo, but I cannot explain the
>> difference between the two machines, I use the same procedure to add
>> them to the domain:
>> <edit smb.conf>
>> net ads join
>> net ads keytab create
>> net ads keytab add HTTP cifs
>>
>> The same configuration for both.
>>
>> I don't know how to activate logs at Microsoft end...
>> I tried to add Lsa\Kerberos\Parameters debug and logging keys but
>> nothing is generated.
>>
>> Any clue?
>>
>> Thanks,
>> Alon.
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
> --
>
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list