Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

Upgrade oddity with proxy tokens

Russ Allbery eagle at
Tue Oct 30 13:07:03 PDT 2012

Dameon Wagner <dameon.wagner at> writes:

> However, with 1 node upgraded and added to the round-robin DNS I'm
> seeing an issue that indicates that anyone trying to authenticate to a
> WAS for the first time, via the 4.1 node, gets prompted for
> credentials, even if moments before they successfully authenticated to
> one of the other (3.6) WebKDCs (so it's not acting like Single Sign-on
> anymore).

Are you absolutely sure that there's a webauth_wpt cookie set after the
previous authentication?  This message:

> Looking at the apache error log on the upgraded node I see entries
> like the following (all on one line and mildly redacted):

> #---8<-----------------------------------------------------------------
> [notice] mod_webkdc: event=requestToken from=
>   clientIp=XX.XX.XX.XX server=krb5:webauth/ at OX.AC.UK
>   url=https://was-url-for-redirect user=<unknown>
>   rtt=id sa=webkdc lec=15 lem="need a proxy token"
> #---8<-----------------------------------------------------------------

indicates that the WebLogin server didn't see any webauth_wpt cookies, or
they were all invalid.

There are no other messages in the WebKDC log at all?  If you didn't
synchronize the keyrings properly, there should be another message saying
that the proxy token couldn't be parsed.  Actually, regardless of why the
proxy token was rejected, there should be a message saying so.  If there's
no other message at all, that should mean that the browser didn't present
any cookie.

Russ Allbery <eagle at>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University

More information about the webauth-info mailing list