Hi,

I am using the package and when I call the sso.auth() function for the second time I am seeing this error. I have exposed an endpoint for login. When I browser from chrome (http://localhost:5000/api/login) or the first time, I am able to see all the sso details. When I browse it for the second time I am receiving the below error. Could you please guide me where I am doing wrong?

//Login end point
app.get('/api/login', sso.auth(), (req, res, next) => {
req.session.sso = req.sso;
res.send(req.sso);
});

Error while doing SSO: AcceptSecurityContext: SECURITY_STATUS incorrect (<0): (error code: 0x80090308) The token supplied to the function is invalid
401
UnauthorizedError: Error while doing SSO: AcceptSecurityContext: SECURITY_STATUS incorrect (<0): (error code: 0x80090308) The token supplied to the function is invalid

at Object.<anonymous> (D:\Sources\api\src\node_modules\node-expose-sspi\dist\sso\auth.js:190:54)
at step (D:\Sources\api\src\node_modules\node-expose-sspi\dist\sso\auth.js:33:23)
at Object.next (D:\Sources\api\src\node_modules\node-expose-sspi\dist\sso\auth.js:14:53)
at D:\Sources\api\src\node_modules\node-expose-sspi\dist\sso\auth.js:8:71
at new Promise (<anonymous>)
at __awaiter (D:\Sources\api\src\node_modules\node-expose-sspi\dist\sso\auth.js:4:12)
at D:\Sources\api\src\node_modules\node-expose-sspi\dist\sso\auth.js:88:31
at D:\Sources\api\src\node_modules\node-expose-sspi\dist\sso\auth.js:195:15
at Layer.handle [as handle_request] (D:\Sources\api\src\node_modules\express\lib\router\layer.js:95:5)
at next (D:\Sources\api\src\node_modules\express\lib\router\route.js:137:13)
at Route.dispatch (D:\Sources\api\src\node_modules\express\lib\router\route.js:112:3)
at Layer.handle [as handle_request] (D:\Sources\api\src\node_modules\express\lib\router\layer.js:95:5)
at D:\Sources\api\src\node_modules\express\lib\router\index.js:281:22
at Function.process_params (D:\Sources\api\src\node_modules\express\lib\router\index.js:335:12)
at next (D:\Sources\api\src\node_modules\express\lib\router\index.js:275:10)
at D:\Sources\api\src\app.js:79:13
at Layer.handle [as handle_request] (D:\Sources\api\src\node_modules\express\lib\router\layer.js:95:5)
at trim_prefix (D:\Sources\api\src\node_modules\express\lib\router\index.js:317:13)
at D:\Sources\api\src\node_modules\express\lib\router\index.js:284:7
at Function.process_params (D:\Sources\api\src\node_modules\express\lib\router\index.js:335:12)
at next (D:\Sources\api\src\node_modules\express\lib\router\index.js:275:10)
at D:\Sources\api\src\app.js:66:9

Please try the https://github.com/jlguenego/angular-sso-example project and compare with yours.

I am using expressjs and I am observing this issue with the following workflow

1. Open chrome, browse http://localhost:5000/api/login, able to see the sso object
2. Close and reopen chrome browser
3. Now browse http://localhost:5000/api/login, we are receving the error.

Note: refreshing the step 3 page again, we are receving no errors and able to see sso object.

Please try the https://github.com/jlguenego/angular-sso-example project and compare with yours.

Thank you, I am using the react-sso-example and doing the coding

You can also test the https://github.com/jlguenego/node-expose-sspi/tree/master/examples/express-ejs example.

If I have to investigate I need to see more of your project. Which HTTP client are you using. Please also make sure you are using the last version of the node-expose-sspi module. Are you on a domain ? etc.

Also there is a command npm run status. Please run this command to see your system env.

I have an exisiting ExpressJS application and now intriducing SSO. For that, I have exposed a new endpoint (/api/login).

I have started the ExpressJS app using npm run and then using Chrome browser to test the endpoint as of now. Later, I will use the endpoint in my reactjs application.

I am connected to domain and using the latest version node-expose-sspi.

I have observed, this..

Open chrome, browse http://localhost:5000/api/login, able to see the sso object
Close and reopen chrome browser
Now browse http://localhost:5000/api/login, we are receving the error.

I believe this is an error with the cookie, which is created and its dependency. Can we have a call in gmail so that I can show you the error?

May be you have another middleware in your express that make a conflict. Have you tried to expose the /api/login at the top of your expressJS config ?

You could try as well with the options sso.auth({useCookies: false}) if you want to disable cookies.

You can send me a call on my mail (jlguenego@gmail.com) if you want we investigate together. (google meet)

Can we have a call now if not let me know your free time?

I can do at 3pm GMT time today.

Please upgrate to the last version (changelog: added more debug tools).

Still seeing the same issue after upgrade

401

Error while doing SSO: AcceptSecurityContext: SECURITY_STATUS incorrect (<0): (error code: 0x80090308) The token supplied to the function is invalid

401

UnauthorizedError: Error while doing SSO: AcceptSecurityContext: SECURITY_STATUS incorrect (<0): (error code: 0x80090308) The token supplied to the function is invalid at Object.<anonymous> (D:\Sources\api\src\node_modules\node-expose-sspi\dist\sso\auth.js:197:54) at step (D:\Sources\api\src\node_modules\node-expose-sspi\dist\sso\auth.js:33:23) at Object.next (D:\Sources\api\src\node_modules\node-expose-sspi\dist\sso\auth.js:14:53) at D:\Sources\api\src\node_modules\node-expose-sspi\dist\sso\auth.js:8:71 at new Promise (<anonymous>) at __awaiter (D:\Sources\api\src\node_modules\node-expose-sspi\dist\sso\auth.js:4:12) at D:\Sources\api\src\node_modules\node-expose-sspi\dist\sso\auth.js:92:31 at D:\Sources\api\src\node_modules\node-expose-sspi\dist\sso\auth.js:202:15 at Layer.handle [as handle_request] (D:\Sources\api\src\node_modules\express\lib\router\layer.js:95:5) at next (D:\Sources\api\src\node_modules\express\lib\router\route.js:137:13) at Route.dispatch (D:\Sources\api\src\node_modules\express\lib\router\route.js:112:3) at Layer.handle [as handle_request] (D:\Sources\api\src\node_modules\express\lib\router\layer.js:95:5) at D:\Sources\api\src\node_modules\express\lib\router\index.js:281:22 at Function.process_params (D:\Sources\api\src\node_modules\express\lib\router\index.js:335:12) at next (D:\Sources\api\src\node_modules\express\lib\router\index.js:275:10) at D:\Sources\api\src\app.js:65:13 at Layer.handle [as handle_request] (D:\Sources\api\src\node_modules\express\lib\router\layer.js:95:5) at trim_prefix (D:\Sources\api\src\node_modules\express\lib\router\index.js:317:13) at D:\Sources\api\src\node_modules\express\lib\router\index.js:284:7 at Function.process_params (D:\Sources\api\src\node_modules\express\lib\router\index.js:335:12) at next (D:\Sources\api\src\node_modules\express\lib\router\index.js:275:10) at session (D:\Sources\api\src\node_modules\express-session\index.js:475:7)

Yes but on the serverside there are more logs. Please show me the status info.

Thanks for this videoconf. We saw together the issue: when starting the browser. The first request lead the "AcceptSecurityContext: SECURITY_STATUS incorrect" error. Then the second, third, etc. do not have errors.

This is happening only with the sso.auth() with the "useCookies = true" options.

I am going to investigate why and provide a fix to this issue. Thanks.

Thank you for joining the call. We really appreciate the quick response from you, regarding the issue.

I found the origin of the problem: when I do the "set-cookie" header, the browser do not save the cookie in all time. But adding always a Max-Age to the set-cookie solve the issue.

see the https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

However still have the very first call after starting the server not solved. Still working on it.

added the notion of previousServerContextHandle which is not thread safe but manage only the very first start of a new browser.
The error would then occurs in extremely rare case: with NTLM, the very first time a user come to the site and connect at the same time (some milliseconds interval) as another one.

Considered as fixed.

Please test the last version : 0.1.36

Its working good.. Thanks JL 👍

added the notion of previousServerContextHandle which is not thread safe but manage only the very first start of a new browser. The error would then occurs in extremely rare case: with NTLM, the very first time a user come to the site and connect at the same time (some milliseconds interval) as another one.

Considered as fixed.

Please test the last version : 0.1.36

The previousServerContextHandle is causing a problem with SSO in the Edge browser because it seems that in my case the domain must be omitted.

This is causing issue also in Chrome if one attempts to SSO or login with domain\userid.
I've fixed it locally by commenting the line previousServerContextHandle = serverSecurityContext.contextHandle; but I'm noticing now that the version of node-expose-sspi in lock.json is "0.1.49" due to "node-expose-sspi": "^0.1.49" in dependencies of the Angular example.