Re: [Freeipa-users] Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.
On 30.4.2015 14:39, Christopher Lamb wrote: Hi Petr Thanks, we solved this issue and reported that back on this thread. The troubleshooting guide has even been updated as a result. https://www.redhat.com/archives/freeipa-users/2015-April/msg00605.html Your suggestion has however hit the nail on the head - the problem was clock skew between the Server hosting freeIPA and the workstations. Petr, could we detect this situation in initial Javascript? I can imagine that server sends its current UTC time to the browser while login page is loading and then client could compare (local UTC) - (server UTC) and scream if time difference is greater than ... 5 minutes or so? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.
On 05/04/2015 07:53 AM, Petr Spacek wrote: On 30.4.2015 14:39, Christopher Lamb wrote: Hi Petr Thanks, we solved this issue and reported that back on this thread. The troubleshooting guide has even been updated as a result. https://www.redhat.com/archives/freeipa-users/2015-April/msg00605.html Your suggestion has however hit the nail on the head - the problem was clock skew between the Server hosting freeIPA and the workstations. Petr, could we detect this situation in initial Javascript? I can imagine that server sends its current UTC time to the browser while login page is loading and then client could compare (local UTC) - (server UTC) and scream if time difference is greater than ... 5 minutes or so? I think it's possible. Server sends HTTP response date header[1] with format [2]. In browser: var date = new Date(xhr.getResponseHeader('Date')); var diff = Date.now() - date.getTime(); var minutes = diff / 1000 / 60; new ticket: https://fedorahosted.org/freeipa/ticket/5015 [1] https://tools.ietf.org/html/rfc2616#section-14.18 [2] https://tools.ietf.org/html/rfc2616#section-3.3.1 -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.
On 04/25/2015 02:58 AM, Christopher Lamb wrote: Hi All I too am suffering from the infamous Web ui error “Your session has expired. Please re-login.” using from browser(s) on remote client(s), similar to the existing tickets: https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html We have 2 FreeIPA installations: An “Old”, soon to be decommissioned v3.0.0, on OEL 6.5 The “new” instance, v4.1.0, on a fresh install of OEL 7.0 The error occurs on both instances. I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE etc) Very sporadically one of the above browsers will “let me in” - If I cycle through all the browsers on various workstations / laptops on my desk somtimes I get lucky and one will work. kinit in a ssh session works. SELinux is disabled. All IPA Services are running. I can find no error(s) in /var/log/httpd/error_log In /var/log/krb5kdc.log I get entries like: Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes {rep=18 tkt=18 ses=18}, y...@xxx-xx.xx.xx.com for HTTP/bsc-ldap2.xxx-xx.xx.xxx@xxx-xx.xx.xxx.com Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down fd 12 If I enter a wrong password, I correctly get “The password or username you entered is incorrect. “, + errors in /var/log/httpd/error_log None of the browsers have a krb5 ticket installed. I get the error with both my user, and the default admin user. From the same browsers I can successfully access the Web UI of the public demo on https://ipa.demo1.freeipa.org/ipa/ui/ Do the machines with browsers have synchronized time with IPA servers? If a client machine with browser is 20min+ in a future compared to IPA server, the browser will treat ipa_session cookie as expired because its validity is auth_time + 20 min. Could you enable server debug logging [1] and send me entries from httpd/error_log and krb5kdc.log which were added upon Web UI forms-based auth with correct username and password? [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/server-config.html#server-debug -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.
Hi Petr Thanks, we solved this issue and reported that back on this thread. The troubleshooting guide has even been updated as a result. https://www.redhat.com/archives/freeipa-users/2015-April/msg00605.html Your suggestion has however hit the nail on the head - the problem was clock skew between the Server hosting freeIPA and the workstations. Ironically, before installing freeIPA server we had no clock skew -clients and workstation clocks were with seconds. Post freeIPA install, the server was suddenly 2 hours in the future. This seems to be because freeIPA had replaced the ntpd server entries in the ntp.conf file. After reverting to our standard ntp.conf for a vm and restarting ntpd the clock-skew vanished, as did the Your session has been expired error on the the Web UI. The 2 hours time difference was probably a result of the difference between UTC and European Summer Time. It will likely be familiar to anybody who has configured FIX interfaces in Europe. Chris b.t.w, the above applies to our new 4.1.0 installation. We get the same session has expired error from our 3.0.0 freeIPA installation that we will decommission shortly. On that machine the cause is not clock-skew. From: Petr Vobornik pvobo...@redhat.com To: Christopher Lamb/Switzerland/IBM@IBMCH, freeipa-users@redhat.com Date: 30.04.2015 12:52 Subject:Re: [Freeipa-users] Web ui error “Your session has expired. Please re-login.” from a browser on a remote client. On 04/25/2015 02:58 AM, Christopher Lamb wrote: Hi All I too am suffering from the infamous Web ui error “Your session has expired. Please re-login.” using from browser(s) on remote client(s), similar to the existing tickets: https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html We have 2 FreeIPA installations: An “Old”, soon to be decommissioned v3.0.0, on OEL 6.5 The “new” instance, v4.1.0, on a fresh install of OEL 7.0 The error occurs on both instances. I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE etc) Very sporadically one of the above browsers will “let me in” - If I cycle through all the browsers on various workstations / laptops on my desk somtimes I get lucky and one will work. kinit in a ssh session works. SELinux is disabled. All IPA Services are running. I can find no error(s) in /var/log/httpd/error_log In /var/log/krb5kdc.log I get entries like: Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes {rep=18 tkt=18 ses=18}, y...@xxx-xx.xx.xx.com for HTTP/bsc-ldap2.xxx-xx.xx.xxx@xxx-xx.xx.xxx.com Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down fd 12 If I enter a wrong password, I correctly get “The password or username you entered is incorrect. “, + errors in /var/log/httpd/error_log None of the browsers have a krb5 ticket installed. I get the error with both my user, and the default admin user. From the same browsers I can successfully access the Web UI of the public demo on https://ipa.demo1.freeipa.org/ipa/ui/ Do the machines with browsers have synchronized time with IPA servers? If a client machine with browser is 20min+ in a future compared to IPA server, the browser will treat ipa_session cookie as expired because its validity is auth_time + 20 min. Could you enable server debug logging [1] and send me entries from httpd/error_log and krb5kdc.log which were added upon Web UI forms-based auth with correct username and password? [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/server-config.html#server-debug -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project