Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IIS, Websphere Failing with Invalid token supplied error #1406

Open
pushp0124 opened this issue Dec 1, 2021 · 4 comments
Open

IIS, Websphere Failing with Invalid token supplied error #1406

pushp0124 opened this issue Dec 1, 2021 · 4 comments

Comments

@pushp0124
Copy link

Hi,

We are trying to integrate Waffle 1.8.3 NTLM authentication (Negotiate) into one of our legacy application i.e., based on java v7. We have the following existing application architecture i.e, IIS web server receives HTTP requests on port 80 from client and passes on to the application server listening on port 9080.

Earlier we were using JCIFS but with upgraded domain controllers it ceases to exist and has been suggested to go with Waffle.

But it is failing continuously when the requests are passed from port 80, i.e. 10.106.x.x:80/AppLoginUrl or hostname failing with the error “ The token supplied to the function is invalid” while 10.106.x.x:9080/AppLoginUrl is having successful SSO and authentication calls.

SDR_WAFFLE

Have gone through various discussions and chats, where this is suggested that the IIS HTTP Web server is behaving as man in the middle where browser is thinking to signing off against i.e. breaking off NTLM authentication. But the protocol was used with JCIFS, trying to replace the library to fulfil that. As we are using NTLM authentication do we require SPN to be configured? I have deployed the Waffle sample filter application and that too is following the same pattern.

Could you please confirm if this is possible and with what changes at IIS/ Websphere level please ? (probably this is the ideal case as to put in HTTP Web server in front of Java servers, can this be possible with Waffle) Attached the negotiate Failure logs , I suspect the failure is not following 3 way handshake call or if following then contains pre-validated token. Your immediate response would be appreciated please (posted in waffle group conversation also).

@hazendaz
Copy link
Member

hazendaz commented Dec 2, 2021

Is it possible for you to try the latest with java 8? I believe there was a lot of work in more recent cuts that fixed various issues that were not accurate. I don't recall specifically if NTLM but our change log would denote what changed in recent versions. If you could test on latest and confirm it works, we could back port a fix to older jdk 7 release if needed.

@pushp0124
Copy link
Author

Hi, many thanks for your reply. Currently, all of our applications are legacy and based on older java, websphere versions. I have asked with team if this is possible, but this would be hard to try with new java version as this would require upgrade of other versions as well. Meanwhile I would request if community has seen such issues with the above use case for the Waffle 1.8.3 or newer versions. Is anyone here following this architecture please ?

@pushp0124
Copy link
Author

Hi @hazendaz and community,

The issue has been identified on IIS we have Windows Authentication mode enabled which was trapping Type 1 messages and sending back Type 2. While, application server was getting Type 3 tokens only resulting into invalid token supplied error.

However our authentication calls are still failing for application URL e.g. http://myurl.com with Invalid logon attempt failed for Type 3 response sent back by client whereas calls through IP addresses/ hostname and localhost are passing.

Attaching the logs for Non-working trace and Working trace .

@dblock could you please advise here, any help would be appreciated.

Thanks,
Pushp.

@dblock
Copy link
Collaborator

dblock commented Dec 17, 2021

@dblock could you please advise here, any help would be appreciated.

It has been years for me since I knew anything about windows authentication, sorry :(

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants