#6862 WebUI cert auth fails after ipa-adtrust-install
Closed: fixed 7 years ago Opened 7 years ago by frenaud.

IPA 4.5.0-5.el7
gssproxy 0.7.0-3.el7

IPA configured for WebUI certificate authentication, with a user entry demoCert containing a user certificate delivered by IPA CA
Web UI certificate authentication stops working when an AD trust is configured. The web page shows:
Authentication with personal certificate failed

httpd error_log displays:

[Tue Apr 11 08:09:33.787693 2017] [auth_gssapi:error] [pid 44111] [client 10.36.116.124:50694] GSS ERROR In S4U2Self: gss_acquire_cred_impersonate_name(): [A required input parameter could not be read, No credentials were supplied, or the credentials were unavailable or inaccessible (Unknown error)]
[Tue Apr 11 08:09:33.791505 2017] [:error] [pid 44109] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Tue Apr 11 08:09:33.791853 2017] [:error] [pid 44109] ipa: DEBUG: WSGI login_x509.__call__:
[Tue Apr 11 08:09:33.792102 2017] [:error] [pid 44109] ipa: INFO: 401 Unauthorized: KRB5CCNAME not set

krb5.kdc log:

Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): TGS_REQ : handle_authdata (-1765328240)
Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): TGS_REQ (8 etypes {18 17 20 19 16 23 25 26}) 10.34.58.20: HANDLE_AUTHDATA: authtime 1491839345,  HTTP/ipaserver.example.com@EXAMPLE.COM for HTTP/ipaserver.example.com@EXAMPLE.COM, Wrong principal in request
Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): ... PROTOCOL-TRANSITION s4u-client=democert@EXAMPLE.COM
Apr 11 08:14:38 ipaserver.example.com krb5kdc[43645](info): closing down fd 11

Metadata Update from @simo:
- Issue assigned to simo

7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1441316

7 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1441316

7 years ago

Triaging based on conversation with Simo and Flo.

Metadata Update from @pvoborni:
- Issue priority set to: blocker
- Issue set to the milestone: FreeIPA 4.5.1
- Issue tagged with: bug

7 years ago

ipa-4-5:

  • b511407 Fix s4u2self with adtrust
    master:

  • e88d5e8 Fix s4u2self with adtrust

Metadata Update from @pvomacka:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Log in to comment on this ticket.

Metadata