Dameon Wagner <[email protected]> writes: > However, with 1 node upgraded and added to the round-robin DNS I'm > seeing an issue that indicates that anyone trying to authenticate to a > WAS for the first time, via the 4.1 node, gets prompted for > credentials, even if moments before they successfully authenticated to > one of the other (3.6) WebKDCs (so it's not acting like Single Sign-on > anymore).
Are you absolutely sure that there's a webauth_wpt cookie set after the previous authentication? This message: > Looking at the apache error log on the upgraded node I see entries > like the following (all on one line and mildly redacted): > #---8<----------------------------------------------------------------- > [notice] mod_webkdc: event=requestToken from=127.0.0.1 > clientIp=XX.XX.XX.XX server=krb5:webauth/[email protected] > url=https://was-url-for-redirect user=<unknown> > rtt=id sa=webkdc lec=15 lem="need a proxy token" > #---8<----------------------------------------------------------------- indicates that the WebLogin server didn't see any webauth_wpt cookies, or they were all invalid. There are no other messages in the WebKDC log at all? If you didn't synchronize the keyrings properly, there should be another message saying that the proxy token couldn't be parsed. Actually, regardless of why the proxy token was rejected, there should be a message saying so. If there's no other message at all, that should mean that the browser didn't present any cookie. -- Russ Allbery <[email protected]> Technical Lead, ITS Infrastructure Delivery Group, Stanford University
