Support Center > Search Results > SecureKnowledge Details
Kerberos Authentication fails when Web application sends duplicate "WWW-Authenticate: Negotiate" HTTP headers Technical Level
Symptoms
  • Kerberos Authentication fails when Web application sends duplicate "WWW-Authenticate: Negotiate" HTTP headers.
  • In Trace logs, see that the Web Server sends duplicate Authentication headers: [CPCVPN_RECEIVED_HEADERS] |XX:XX:XX.XXX|
    HTTP/1.1 401 Unauthorized
    Server: Apache-Coyote/1.1
    [/CPCVPN_RECEIVED_HEADERS]
    [CPCVPN_INFO/] |XX:XX:XX.XXX| gss_init_sec_context() failed: : No Kerberos credentials available
    [CPCVPN_RECEIVED_HEADERS] |XX:XX:XX.XXX|
    WWW-Authenticate: Negotiate
    [/CPCVPN_RECEIVED_HEADERS]
    [CPCVPN_INFO/] |XX:XX:XX.XXX| gss_init_sec_context() failed: : No Kerberos credentials available
    [CPCVPN_RECEIVED_HEADERS] |XX:XX:XX.XXX|
    WWW-Authenticate: Negotiate
    Content-Length: 348
    Date: Wed, XX Apr XXX XX:XX:XXGMT
  • Kerberos Ticket is created succesfuly by the KDC (Key Distribution Center).
  • HTTPD shows the following entries:
    WebHandler::configureLibCurl: using KRB5_CONFIG=/opt/CPcvpn-R77/var/krb5.auto.conf
    Cvpn::WebHandler::curlGotResponseHeader: Setting credentials in Kerberos
    Cvpn::WebHandler::content: Restart libcurl in order to authenticate
    [CVPN_INFO] getPoolInstance: creating a new LibCurl instance
    Cvpn::WebHandler::content: Restart libcurl in order to authenticate
Cause

A limitation in the Libcurl code causes the authentication to fail when the duplicate "WWW-Authenticate: Negotiate" http headers are sent from the Internal Web Server.


Solution
Note: To view this solution you need to Sign In .