Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

Unexpected XML Error

Russ Allbery eagle at
Fri Feb 2 11:05:32 PST 2007

Education Center <mailbox030403 at> writes:

> Trying to make test environment with webauth and webkdc I got several
> errors that I was tring to fix checking manuals but was
> unsuccessfull. Please help if possible.

> Some addtional info about environment and disto could be found at the
> end of message.

> ~~~~~~~~~~~~~~~~~~~~~~~
> 1. The following error messages in log accessing /webauth-status

> [Fri Feb 02 09:40:50 2007] [error] mod_webauth: request_service_token: apr_xml_parser_{feed,done} failed: XML parser error code: syntax error (2) (20014)
> [Fri Feb 02 09:40:50 2007] [error] mod_webauth: mwa_get_service_token: couldn't get new service token from webkdc
> [Fri Feb 02 09:40:50 2007] [emerg] mod_webauth: mwa_get_service_token FAILD!!
> ~~~~~~~~~~~~~~~~~~~~~~~

So when the WebAuth module sends a request to the WebKDC, what it gets
back is invalid XML.  Usually this error means that the URL that you're
using for the WebKDC service isn't properly configured on the WebKDC to
actually *be* the WebKDC service, so the WebKDC Apache server returns a
normal page and the WebAuth module chokes.

The most useful log excerpt is one that I don't think you included, namely
the log from the WebKDC at the time that you try to access the WebAuth

> 2. Trying to access /login I have the following:

> Webauth Error as web page output
> and this entry in error log: [Fri Feb 02 10:29:37 2007] [error] [client] there was no request or service token

This is normal.  You can't just go to /login; you have to be redirected
there by a WebAuth server.  (I've thought about allowing people to log in
without visiting a WebAuth-protected site first, but it's always been a
low priority.)

> WebAuthCredCacheDir /www/conf/webauth
> WebAuthDebug on
> WebAuthKeyRing /www/conf/webauth/keyring
> WebAuthKeyRingAutoUpdate on
> WebAuthKeyRingKeyLifetime 2592000s
> WebAuthKeytab /www/conf/webauth/keytab webauth/
> WebAuthLoginUrl https://testsrv/login/
> WebAuthServiceTokenCache /www/conf/webauth/service_token.cache
> WebAuthSubjectAuthType krb5
> WebAuthSSLRedirect on
> WebAuthTokenMaxTTL 300s
> WebAuthWebKdcPrincipal service/webkdc

It's usually best to fully qualify that principal name, although it
doesn't really matter if it's in your default realm.

> WebAuthWebKdcSSLCertFile /www/conf/testsrv.crt
> WebAuthWebKdcSSLCertCheck on
> WebAuthWebKdcURL https://testsrv/webkdc-services/

Unless that certificate is for the common name "testsrv" with no
additional qualification, this is going to fail.  That may or may not be
the error.  The common name of your SSL certificate has to match the
hostname in the URL for the WebKDC unless you turn certificate checking

The other information that would be useful to track this down would be the
Apache configuration for the WebKDC on testsrv (the actual configuration
including any VirtualHost or Location containers, rather than the config
dump of the global settings).

Russ Allbery <eagle at>
Technical Lead, ITS Unix Systems and Applications, Stanford University

More information about the webauth-info mailing list