Microsoft SSPI error - Security System was unable to authenticate to the server HTTP/host because the server has completed the authentication, but the client authentication protocol Kerberos has not

Alon Bar-Lev alon.barlev at gmail.com
Mon Oct 3 18:19:43 EDT 2011


Well,

Just found that Subversion 1.7 (TortoiseSVN-1.7rc1) with serf-1.0.0
supports negotiation.

And it just works!
Serf even does not have the restriction of doing negotiate in TLS...
So much easier to look at using wireshark.

BTW: neon in this release does not even request ticket for target
server... And fails for unknown GSS error.
---
svn: E170001: OPTIONS of
'https://correlux-gentoo.correlsense.com/svn/Test': authorization
failed: Could not authenticate to server: GSSAPI authentication error:
 (https://correlux-gentoo.correlsense.com)
---

So we have even further regression in neon, and huge success for serf.

Alon.

On Mon, Oct 3, 2011 at 4:47 PM, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
> Hi,
>
> I already search for all information I could, read most of them.
> I know neon is problematic, I had issues before.
> All eventually resolved after a lot of tears, as Microsoft does not
> support decent logging.
>
> Alon
>
> On Mon, Oct 3, 2011 at 4:33 PM, Douglas E. Engert <deengert at anl.gov> wrote:
>>
>>
>> On 10/3/2011 9:12 AM, Alon Bar-Lev wrote:
>>> Hello,
>>>
>>> I have configuration of active directory 2003 r2 sp3 working with
>>> linux mod_auth_kerb.
>>> I use SPNEGO for subversion.
>>> When using Linux all work great!
>>> When using Windows XP(and Windows 7) Firefox/IE/cifs client work great.
>>>
>>> Problem is subversion which uses neon, it get the following:
>>
>> Googling for: neon SPNEGO
>> shows a lot of issues. Maybe you are seeing one of them?
>>
>>
>>> ---
>>> Running post_send hooks
>>> ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate oYGfMIG
>>> coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA
>>> DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u
>>> DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2
>>> auth: SSPI challenge.
>>> InitializeSecurityContext [fail] [80090304].
>>> sspi: initializeSecurityContext [failed] [80090304].
>>> ---
>>>
>>> At windows event log I see the following:
>>> ---
>>> Event Type:   Warning
>>> Event Source: LSASRV
>>> Event Category:       SPNEGO (Negotiator)
>>> Event ID:     40962
>>> Date:         10/3/2011
>>> Time:         3:55:38 PM
>>> User:         N/A
>>> Computer:     VALON
>>> Description:
>>> The Security System was unable to authenticate to the server
>>> HTTP/correlux-gentoo.correlsense.com because the server has completed
>>> the authentication, but the client authentication protocol Kerberos
>>> has not.
>>>
>>> For more information, see Help and Support Center at
>>> http://go.microsoft.com/fwlink/events.asp.
>>> ---
>>>
>>> Had anyone seen this before?
>>> I tried many configurations, but without success:
>>> ---
>>> Gentoo
>>> ---
>>> dev-libs/openssl-1.0.0e ->  also downgraded to openssl-0.9.8f
>>> www-servers/apache-2.2.21
>>> www-apache/mod_auth_kerb-5.4 ->  also downgraded to mod_auth_kerb-5.1
>>> net-fs/samba-3.5.11
>>> app-crypt/mit-krb5-1.9.1 ->  also downgraded to 1.6.3
>>> ---
>>>
>>> The strange thing is that I have centos server on the same network
>>> with *MUCH* older packages and it does work...
>>> ---
>>> CentOS
>>> ---
>>> openssl-0.9.8e-20.el5
>>> httpd-2.2.3-53.el5.centos.1
>>> mod_ssl-2.2.3-53.el5.centos.1
>>> mod_auth_kerb-5.1-3.el5
>>> samba-3.0.33-3.29.el5_7.4
>>> krb5-workstation-1.6.1-62.el5
>>> ---
>>>
>>> I cannot reach this old state at Gentoo, but I cannot explain the
>>> difference between the two machines, I use the same procedure to add
>>> them to the domain:
>>> <edit smb.conf>
>>> net ads join
>>> net ads keytab create
>>> net ads keytab add HTTP cifs
>>>
>>> The same configuration for both.
>>>
>>> I don't know how to activate logs at Microsoft end...
>>> I tried to add Lsa\Kerberos\Parameters debug and logging keys but
>>> nothing is generated.
>>>
>>> Any clue?
>>>
>>> Thanks,
>>> Alon.
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>
>> --
>>
>>  Douglas E. Engert  <DEEngert at anl.gov>
>>  Argonne National Laboratory
>>  9700 South Cass Avenue
>>  Argonne, Illinois  60439
>>  (630) 252-5444
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>




More information about the Kerberos mailing list