Re: [Freeipa-users] Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.
On 30.4.2015 14:39, Christopher Lamb wrote: Hi Petr Thanks, we solved this issue and reported that back on this thread. The troubleshooting guide has even been updated as a result. https://www.redhat.com/archives/freeipa-users/2015-April/msg00605.html Your suggestion has however hit the nail on the head - the problem was clock skew between the Server hosting freeIPA and the workstations. Petr, could we detect this situation in initial Javascript? I can imagine that server sends its current UTC time to the browser while login page is loading and then client could compare (local UTC) - (server UTC) and scream if time difference is greater than ... 5 minutes or so? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.
On 05/04/2015 07:53 AM, Petr Spacek wrote:
On 30.4.2015 14:39, Christopher Lamb wrote:
Hi Petr
Thanks, we solved this issue and reported that back on this thread. The
troubleshooting guide has even been updated as a result.
https://www.redhat.com/archives/freeipa-users/2015-April/msg00605.html
Your suggestion has however hit the nail on the head - the problem was
clock skew between the Server hosting freeIPA and the workstations.
Petr, could we detect this situation in initial Javascript?
I can imagine that server sends its current UTC time to the browser while
login page is loading and then client could compare (local UTC) - (server UTC)
and scream if time difference is greater than ... 5 minutes or so?
I think it's possible.
Server sends HTTP response date header[1] with format [2].
In browser:
var date = new Date(xhr.getResponseHeader('Date'));
var diff = Date.now() - date.getTime();
var minutes = diff / 1000 / 60;
new ticket: https://fedorahosted.org/freeipa/ticket/5015
[1] https://tools.ietf.org/html/rfc2616#section-14.18
[2] https://tools.ietf.org/html/rfc2616#section-3.3.1
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.
On 04/25/2015 02:58 AM, Christopher Lamb wrote:
Hi All
I too am suffering from the infamous Web ui error “Your session has
expired. Please re-login.” using from browser(s) on remote client(s),
similar to the existing tickets:
https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html
https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html
https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html
We have 2 FreeIPA installations:
An “Old”, soon to be decommissioned v3.0.0, on OEL 6.5
The “new” instance, v4.1.0, on a fresh install of OEL 7.0
The error occurs on both instances.
I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE
etc)
Very sporadically one of the above browsers will “let me in” - If I cycle
through all the browsers on various workstations / laptops on my desk
somtimes I get lucky and one will work.
kinit in a ssh session works.
SELinux is disabled.
All IPA Services are running.
I can find no error(s) in /var/log/httpd/error_log
In /var/log/krb5kdc.log I get entries like:
Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes
{rep=18 tkt=18 ses=18}, y...@xxx-xx.xx.xx.com for
HTTP/bsc-ldap2.xxx-xx.xx.xxx@xxx-xx.xx.xxx.com
Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down
fd 12
If I enter a wrong password, I correctly get “The password or username you
entered is incorrect. “, + errors in /var/log/httpd/error_log
None of the browsers have a krb5 ticket installed.
I get the error with both my user, and the default admin user.
From the same browsers I can successfully access the Web UI of the public
demo on https://ipa.demo1.freeipa.org/ipa/ui/
Do the machines with browsers have synchronized time with IPA servers?
If a client machine with browser is 20min+ in a future compared to IPA
server, the browser will treat ipa_session cookie as expired because its
validity is auth_time + 20 min.
Could you enable server debug logging [1] and send me entries from
httpd/error_log and krb5kdc.log which were added upon Web UI forms-based
auth with correct username and password?
[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/server-config.html#server-debug
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.
Hi Petr
Thanks, we solved this issue and reported that back on this thread. The
troubleshooting guide has even been updated as a result.
https://www.redhat.com/archives/freeipa-users/2015-April/msg00605.html
Your suggestion has however hit the nail on the head - the problem was
clock skew between the Server hosting freeIPA and the workstations.
Ironically, before installing freeIPA server we had no clock skew -clients
and workstation clocks were with seconds. Post freeIPA install, the server
was suddenly 2 hours in the future.
This seems to be because freeIPA had replaced the ntpd server entries in
the ntp.conf file. After reverting to our standard ntp.conf for a vm and
restarting ntpd the clock-skew vanished, as did the Your session has been
expired error on the the Web UI.
The 2 hours time difference was probably a result of the difference between
UTC and European Summer Time. It will likely be familiar to anybody who has
configured FIX interfaces in Europe.
Chris
b.t.w, the above applies to our new 4.1.0 installation. We get the same
session has expired error from our 3.0.0 freeIPA installation that we
will decommission shortly. On that machine the cause is not clock-skew.
From: Petr Vobornik pvobo...@redhat.com
To: Christopher Lamb/Switzerland/IBM@IBMCH,
freeipa-users@redhat.com
Date: 30.04.2015 12:52
Subject:Re: [Freeipa-users] Web ui error “Your session has expired.
Please re-login.” from a browser on a remote client.
On 04/25/2015 02:58 AM, Christopher Lamb wrote:
Hi All
I too am suffering from the infamous Web ui error “Your session has
expired. Please re-login.” using from browser(s) on remote client(s),
similar to the existing tickets:
https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html
https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html
https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html
We have 2 FreeIPA installations:
An “Old”, soon to be decommissioned v3.0.0, on OEL 6.5
The “new” instance, v4.1.0, on a fresh install of OEL 7.0
The error occurs on both instances.
I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE
etc)
Very sporadically one of the above browsers will “let me in” - If I cycle
through all the browsers on various workstations / laptops on my desk
somtimes I get lucky and one will work.
kinit in a ssh session works.
SELinux is disabled.
All IPA Services are running.
I can find no error(s) in /var/log/httpd/error_log
In /var/log/krb5kdc.log I get entries like:
Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064,
etypes
{rep=18 tkt=18 ses=18}, y...@xxx-xx.xx.xx.com for
HTTP/bsc-ldap2.xxx-xx.xx.xxx@xxx-xx.xx.xxx.com
Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down
fd 12
If I enter a wrong password, I correctly get “The password or username
you
entered is incorrect. “, + errors in /var/log/httpd/error_log
None of the browsers have a krb5 ticket installed.
I get the error with both my user, and the default admin user.
From the same browsers I can successfully access the Web UI of the public
demo on https://ipa.demo1.freeipa.org/ipa/ui/
Do the machines with browsers have synchronized time with IPA servers?
If a client machine with browser is 20min+ in a future compared to IPA
server, the browser will treat ipa_session cookie as expired because its
validity is auth_time + 20 min.
Could you enable server debug logging [1] and send me entries from
httpd/error_log and krb5kdc.log which were added upon Web UI forms-based
auth with correct username and password?
[1]
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/server-config.html#server-debug
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
