Hello, looking for some help.
We've recently noted that the majority of our web UI's have started to fail to
login. I have at least 1 that's still allowing log-in's at present.
When attempting to login, we get a 401 unauthorised in the networking tab for the login
POST request, and a banner appears: "Your session has expired. Please log in
again."
In the kerbos logs I see the following:
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1861](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.13.3.111: NEEDED_PREAUTH:
WELLKNOWN/ANONYMOUS@INT.I-NEDA.COM<mailto:WELLKNOWN/ANONYMOUS@INT.I-NEDA.COM> for
krbtgt/INT.I-NEDA.COM@INT.I-NEDA.COM<mailto:krbtgt/INT.I-NEDA.COM@INT.I-NEDA.COM>,
Additional pre-authentication required
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1861](info): closing down fd 12
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.13.3.111: ISSUE: authtime 1707232119, etypes
{rep=aes256-cts-hmac-sha384-192(20), tkt=aes256-cts-hmac-sha1-96(18),
ses=aes256-cts-hmac-sha1-96(18)},
WELLKNOWN/ANONYMOUS@INT.I-NEDA.COM<mailto:WELLKNOWN/ANONYMOUS@INT.I-NEDA.COM> for
krbtgt/INT.I-NEDA.COM@INT.I-NEDA.COM<mailto:krbtgt/INT.I-NEDA.COM@INT.I-NEDA.COM>
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): closing down fd 12
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.13.3.111: NEEDED_PREAUTH:
marc.admin@INT.I-NEDA.COM<mailto:marc.admin@INT.I-NEDA.COM> for
krbtgt/INT.I-NEDA.COM@INT.I-NEDA.COM<mailto:krbtgt/INT.I-NEDA.COM@INT.I-NEDA.COM>,
Additional pre-authentication required
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): closing down fd 12
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.13.3.111: ISSUE: authtime 1707232119, etypes
{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
ses=aes256-cts-hmac-sha1-96(18)},
marc.admin@INT.I-NEDA.COM<mailto:marc.admin@INT.I-NEDA.COM> for
krbtgt/INT.I-NEDA.COM@INT.I-NEDA.COM<mailto:krbtgt/INT.I-NEDA.COM@INT.I-NEDA.COM>
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): closing down fd 12
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1861](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.13.3.111: ISSUE: authtime 1707232119, etypes
{rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18),
ses=aes256-cts-hmac-sha1-96(18)},
marc.admin@INT.I-NEDA.COM<mailto:marc.admin@INT.I-NEDA.COM> for
HTTP/red-ipa01.int.i-neda.com@INT.I-NEDA.COM<mailto:HTTP/red-ipa01.int.i-neda.com@INT.I-NEDA.COM>
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1861](info): closing down fd 12
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.13.3.111: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime
1707232119, etypes {rep=UNSUPPORTED:(0)}
HTTP/red-ipa01.int.i-neda.com@INT.I-NEDA.COM<mailto:HTTP/red-ipa01.int.i-neda.com@INT.I-NEDA.COM>
for
ldap/red-ipa01.int.i-neda.com@INT.I-NEDA.COM<mailto:ldap/red-ipa01.int.i-neda.com@INT.I-NEDA.COM>,
KDC policy rejects request
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): ... CONSTRAINED-DELEGATION
s4u-client=<unknown>
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): closing down fd 12
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): TGS_REQ (6 etypes
{aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), camellia256-cts-cmac(26),
camellia128-cts-cmac(25)}) 10.13.3.111: S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC: authtime
1707232119, etypes {rep=UNSUPPORTED:(0)}
HTTP/red-ipa01.int.i-neda.com@INT.I-NEDA.COM<mailto:HTTP/red-ipa01.int.i-neda.com@INT.I-NEDA.COM>
for
ldap/red-ipa01.int.i-neda.com@INT.I-NEDA.COM<mailto:ldap/red-ipa01.int.i-neda.com@INT.I-NEDA.COM>,
KDC policy rejects request
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): ... CONSTRAINED-DELEGATION
s4u-client=<unknown>
Feb 06 15:08:39
red-ipa01.int.i-neda.com krb5kdc[1862](info): closing down fd 12
We are not having issue with other parts of the authing system as we are still able to ssh
into servers, use sudo over shared auth etc. And we can verify the issue isn't config
on the cluster side. These hosts are update regularly in a round robin. One host that is
allowing web-ui access was updated and restarted last night, so don't believe it's
a package / code level issue either.
Any help or pointers would be greatly appreciated.
Regards,
Marc.