Secur32.INSTANCE.AcceptSecurityContext : -2146893048

Nov 2, 2015 at 11:02 PM
We are using the library successfully at a few customers, but now we encountered a problem we can not solve. Everything is set up properly:
  • our Windows Service's account is Local System
  • everything is in the domain
  • in IE, the site is in the Local intranet zone (also tried with Firefox with network-negotiate-etc set up)
    Even everything set up properly, the browser displays error 401. The most suspicious message in the log is the following:
    fr.doume.jna.sspi.AuthenticationUtil.getInternalContext after Secur32.INSTANCE.AcceptSecurityContext : -2146893048
    (and a little bit later: "The parameter is incorrect.")
    To me, it means "authentication failure", but how can that happen?
The only meaningful forum I found is:!topic/jna-users/rgoC7qyaP8c
They say JNA should be updated to 3.5.0 (from 3.4.0). I managed to compile frdoume.jar with jna-3.5.0.jar and platform-3.5.2, and it is working, but I'm not sure this will solve the customer's problem...

Thanks in advance if anybody shares any idea :)
Gabor Fenyvesi
Nov 9, 2015 at 11:34 PM

the code is in hexa 80090308 : the token received by AcceptSecurityContext is not valid.
Shut down and restart the client computer.Have you the same résulte?
If you have the same problem, can you add annoter user in AD? Can you log to the client computer with ne new account? Have you the same error code?

Could you test, to verify, with the dll version? I think hou will have the same result.

Did you test with the application examples given by tomcat? ( examples/jsp/security/protected is protected
you have to add in conf/Catalina/localhost the file examples.xml
<Valve className="fr.doume.jna.authenticator.SSPAuthenticator" />
<Realm className ="fr.doume.jna.realm.WindowsRealm" />
Hou have to add in the file web.xml of this application (webapps/examples/WEB-INF/web.xml) the role users or everyone to the Security constraint

With the dll version, you will have the same XML file but without jna
<Valve className="fr.doume.authenticator.SSPAuthenticator" />
<Realm className ="fr.doume.realm.WindowsRealm" />

Could you send the result?
Nov 10, 2015 at 9:56 AM
Hi Dominique,
Thanks for your reply, I just managed to fix this yesterday and was going to write the fix here. I wanted to add a new user to the AD but the customer didn't let me to do so. Anyway, I checked their AD users and the servers and everything, and still didn't work.
The only way I was able to make it working is by adding line to META-INF\context.xml:
<Parameter name="onlyntlm" value="" override="false"/>
I assume this turns off SPNEGO and Kerberos. Probably they have some AD configuration that prevents both SPNEGO and Kerberos to be working.
Anyway, it is working now with IE (Firefox doesn't work, but they do not mind).
Thanks and regards,