Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

Unexpected XML Error - SOLVED

Education Center mailbox030403 at
Tue Feb 6 22:20:52 PST 2007

Att: Russ Allbery

Thank you very much for dedicating time to assist me. I really appreciated!
So my test installation now is successful and will be duplicated on production servers.
Our team has very good impression of WebAuth project.

Here some details for archive records:

>> ... mod_webauth: request_service_token: apr_xml_parser_{feed,done} failed: XML parser error code: syntax error (2) (20014)

>>The most useful log excerpt is one that I don't think you included, namely
>>the log from the WebKDC

Yes, it was simple but very useful note. Although "Web...Debug" statements were on there was a *hidden* "LogLevel warn" directive in main config. So there were no debug messages really about webkdc and webauth. 

>Usually this error means that the URL that you're
>using for the WebKDC service isn't properly configured ...

So, after real debug mode has been tuned on it became obvious that something is wrong with webkdc-services location.
The reason was as follows: the "AuthType Kerberos" of mod_auth_kerb has been switched on globally for all site.
It prevented webkdc-services handler to work properly. So it was fixed.

>> Trying to access /login directly gives "Webauth Error"
>> and [error] [client] there was no request or service token

> This is normal.  You can't just go to /login; you have to be redirected there by a WebAuth server.
> (I've thought about allowing ... but it's always been a low priority.)

Ok. Accepted. 

> It's usually best to fully qualify that principal name, although it
> doesn't really matter if it's in your default realm.

This good advice has been applied. All principal names have been fully qualified
with REALM name spelled with capital letters. It helped to make thing easier and
to fix some mistakes in token.acl file. Thanks.

>> WebAuthWebKdcSSLCertFile /www/conf/testsrv.crt
>> WebAuthWebKdcSSLCertCheck on
>> WebAuthWebKdcURL https://testsrv/webkdc-services/

> Unless that certificate is for the common name "testsrv" with no
> additional qualification, this is going to fail.

Yes, my both test certificate and host have no additional qualification.
So it was workable. But anyway, thanks for paying attention to that detail.

Education Center

More information about the webauth-info mailing list