Wapt Linux 2.4 server.
Windows 10 client
Hello,
SSO on the self-service portal works with some Active Directory accounts but not with others on the same PC.
On the account where it doesn't work, it asks for the account login and password.
Once the credentials are entered, the user has access to the self-service portal, but they have to log in again each time.
Do you have any ideas? Are there any specific logs I should look at?
On the waptserver.ini side, the following parameters are correctly filled:
ldap_account_service_login = XXXXXX
ldap_account_service_password = XXXX
ldap_auth_server = XXXXXX
ldap_auth_base_dn = XXXXX
use_kerberos = True
ldap_auth_ssl_enabled = True
use_ssl_client_auth = True
On the client side, in the agent configuration, I have:
service_auth_type = waptserver-ldap
use_kerberos = True
[RESOLVED] SSO self-service not working for all users
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Hello,
after investigation, the problem is related to the Kerberos ticket size.
SSO on the self-service portal seems to have a Kerberos ticket size limit that is smaller than that of Windows.
after investigation, the problem is related to the Kerberos ticket size.
SSO on the self-service portal seems to have a Kerberos ticket size limit that is smaller than that of Windows.
Wapt Enterprise Edition 2.6.1.17765
WAPTConsole Enterprise on Windows
WAPT Server on Debian 12
WAPTConsole Enterprise on Windows
WAPT Server on Debian 12
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
Hello,
thank you for your feedback.
Could you tell me if the user experiencing the problem accessing the URL https://srvwapt.mydomain.lan/api/v3/login_kerberos works from Firefox?
Note that in Firefox, you need to add the following to about:config:
network.negotiate-auth.delegation-uris mydomain.lan and
network.negotiate-auth.trusted-uris mydomain.lan.
This will help us determine if the issue lies with the nginx spnego module or with waptself.
thank you for your feedback.
Could you tell me if the user experiencing the problem accessing the URL https://srvwapt.mydomain.lan/api/v3/login_kerberos works from Firefox?
Note that in Firefox, you need to add the following to about:config:
network.negotiate-auth.delegation-uris mydomain.lan and
network.negotiate-auth.trusted-uris mydomain.lan.
This will help us determine if the issue lies with the nginx spnego module or with waptself.
With a user who has a small Kerberos ticket, there's no problem.
With a user who has a large Kerberos ticket:
400 Bad Request
Request Header Or Cookie Too Large
nginx
With a user who has a large Kerberos ticket:
400 Bad Request
Request Header Or Cookie Too Large
nginx
Wapt Enterprise Edition 2.6.1.17765
WAPTConsole Enterprise on Windows
WAPT Server on Debian 12
WAPTConsole Enterprise on Windows
WAPT Server on Debian 12
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
Based on the message, you can try adding the following to your Nginx configuration: `
large_client_header_buffers 4 16k;
` https://stackoverflow.com/questions/651 ... 7#65151807
If that works, we'll see about modifying the initial Nginx configuration of Wapt.
large_client_header_buffers 4 16k;
` https://stackoverflow.com/questions/651 ... 7#65151807
If that works, we'll see about modifying the initial Nginx configuration of Wapt.
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
Thanks, we just added the nginx configuration to the git branch master code here to handle the case.
