Tomcat throws HTTP 401, but only for some client machines

Dec 22, 2014 at 11:06 PM
Firstly, thanks for this library for SSO. I have used the dll-based solution, and it works brilliantly after following the steps on the how-to.

I have made sure that I have configured IE and Firefox for IWA and verified this carefully.

The problem is this: when I access the index.jsp from some client machines, I see the page with the expected text/ username. However, when accessing the same page from other client machines (also in the same network, and browsers configured identically for IWA), I see an HTTP 401 error page.

I enabled fine logging for the library, and I am pasting the content of the logs for failure below:
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  onlyntlm: PARAMETER : null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  timelifemaprolesintosids: PARAMETER : null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  nogroupsinad: PARAMETER : null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  groupsinad: PARAMETER : null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  usernamewithoutdomainasprefix: PARAMETER : null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  usernamewithdomainasprefix: PARAMETER : null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  loginauthenticationwithoutad: PARAMETER : null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  loginauthenticationwithad: PARAMETER : null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  commonrole : PARAMETER : null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  choiceoftheaccount : PARAMETER: null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  realmsandwindowsgroups : PARAMETER : null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  bindauthenticationtotcpconnection : PARAMETER: null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  simultaneousauthentications : PARAMETER: null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  nocreatesessionafterauthentication : PARAMETER: null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  timeoutntlmauthentication : PARAMETER: null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  onlykerberos : PARAMETER: null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  spnegoandntlm : PARAMETER: null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init>  onlynegotiate : PARAMETER: null
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init> Error in the parameters:  timelifeTranslation >0 or equals -1
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.Parameters.<init> Parameter timelifeTranslation is not present or incoherent: => timelifeTranslation = -1
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.SSPAuthenticator.authenticate Entry in  authenticate. Principal does not exist or the browser send the header Authorization: authentication is required
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.SSPAuthenticator.authenticate realm : Realm[WindowsRealm]
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.SSPAuthenticator.translateRolesIntoSids Count of groups defined in the context : 2
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.SSPAuthenticator.translateRolesIntoSids everyone
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.authenticator.SSPAuthenticator.translateRolesIntoSids users
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.sspi.TranslationRolesIntoSids.getSidsCount Begin
22-Dec-2014 16:46:21.512 FINE [http-nio-8085-exec-1] fr.doume.sspi.TranslationRolesIntoSids.getSidsCount ! translated
22-Dec-2014 16:46:21.528 FINE [http-nio-8085-exec-1] fr.doume.authenticator.SSPAuthenticator.translateRolesIntoSids roles have been translated into sids
22-Dec-2014 16:46:21.528 FINE [http-nio-8085-exec-1] fr.doume.authenticator.SSPAuthenticator.translateRolesIntoSids Count of sids defined in the context : 2
22-Dec-2014 16:46:21.528 FINE [http-nio-8085-exec-1] fr.doume.authenticator.SSPAuthenticator.setHeadersWWWAuthenticate  The client cannot choose between Negotiate and NTLM
22-Dec-2014 16:46:21.793 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  onlyntlm: PARAMETER : null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  timelifemaprolesintosids: PARAMETER : null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  nogroupsinad: PARAMETER : null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  groupsinad: PARAMETER : null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  usernamewithoutdomainasprefix: PARAMETER : null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  usernamewithdomainasprefix: PARAMETER : null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  loginauthenticationwithoutad: PARAMETER : null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  loginauthenticationwithad: PARAMETER : null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  commonrole : PARAMETER : null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  choiceoftheaccount : PARAMETER: null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  realmsandwindowsgroups : PARAMETER : null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  bindauthenticationtotcpconnection : PARAMETER: null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  simultaneousauthentications : PARAMETER: null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  nocreatesessionafterauthentication : PARAMETER: null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  timeoutntlmauthentication : PARAMETER: null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  onlykerberos : PARAMETER: null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  spnegoandntlm : PARAMETER: null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init>  onlynegotiate : PARAMETER: null
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init> Error in the parameters:  timelifeTranslation >0 or equals -1
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.Parameters.<init> Parameter timelifeTranslation is not present or incoherent: => timelifeTranslation = -1
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.SSPAuthenticator.authenticate Entry in  authenticate. Principal does not exist or the browser send the header Authorization: authentication is required
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.SSPAuthenticator.authenticate realm : Realm[WindowsRealm]
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.SSPAuthenticator.translateRolesIntoSids Count of groups defined in the context : 2
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.SSPAuthenticator.translateRolesIntoSids everyone
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.authenticator.SSPAuthenticator.translateRolesIntoSids users
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.sspi.TranslationRolesIntoSids.getSidsCount Begin
22-Dec-2014 16:46:21.809 FINE [http-nio-8085-exec-2] fr.doume.sspi.TranslationRolesIntoSids.getSidsCount ! translated
22-Dec-2014 16:46:21.824 FINE [http-nio-8085-exec-2] fr.doume.authenticator.SSPAuthenticator.translateRolesIntoSids roles have been translated into sids
22-Dec-2014 16:46:21.824 FINE [http-nio-8085-exec-2] fr.doume.authenticator.SSPAuthenticator.translateRolesIntoSids Count of sids defined in the context : 2
22-Dec-2014 16:46:21.824 FINE [http-nio-8085-exec-2] fr.doume.authenticator.SSPAuthenticator.setHeadersWWWAuthenticate  The client cannot choose between Negotiate and NTLM
22-Dec-2014 16:46:21.824 FINE [http-nio-8085-exec-3] fr.doume.authenticator.SSPAuthenticator.authenticate Entry in  authenticate. Principal does not exist or the browser send the header Authorization: authentication is required
22-Dec-2014 16:46:21.840 FINE [http-nio-8085-exec-3] fr.doume.authenticator.SSPAuthenticator.authenticate realm : Realm[WindowsRealm]
22-Dec-2014 16:46:21.840 FINE [http-nio-8085-exec-3] fr.doume.authenticator.SSPAuthenticator.getTranslationRolesIntoSids get the instance of the current TranslationRolesIntoSids from the Context
22-Dec-2014 16:46:21.840 FINE [http-nio-8085-exec-3] fr.doume.authenticator.SSPAuthenticator.setHeadersWWWAuthenticate  The client cannot choose between Negotiate and NTLM
I have clearly specified "basic" as the authentication mode in the web.xml file as per example. What is the source of this error and how can I fix it?
Coordinator
Mar 4, 2015 at 1:01 PM
Hello,
Read configure.txt to have logs.
You can use a proxy server like Fiddler on the client too. So, you will have all the requests ans responses between your browser and the tomcat server.
With this information, I will be able to help you

Dominique