Cannot access SSO with copluter host name
AvshT opened this issue · comments
Hi,
Fisrt I want to thank you for your hard work supporting this.
I need your help with my issue:
- I've implemented your example on one of our network servers. (windows server 2016)
- When I try to get sso login with IP address everything works fine.
- But when I try to get sso login with computer host address, I'm getting a popup window says enter login credentials.
What Im missing?
One note:
If I continuing by clicking on cancel, I'm getting following exception on node console:
statusInfo: {
adminPrivileges: true,
isOnDomain: true,
domain: 'NTNET',
isActiveDirectoryReachable: true
}
messageType: Kerberos_1
UnauthorizedError: Error while doing SSO: AcceptSecurityContext: SECURITY_STATUS incorrect (<0): (error code: 0x80090308) The token supplied to the function is invalid
BR
Avshalom
Hi @AvshT,
From the above log, I can see you are using Kerberos (it is a good thing). Kerberos, to properly work, needs the server be declared with a good SPN (Service Principal Name). The SPN is an attribute of a domain account declared in ActiveDirectory.
The Kerberos client, in your case your web browser, automatically build the SPN as a string like this: HTTP/<server-name>
.
https://www.chromium.org/developers/design-documents/http-authentication
To be sure to have a good SPN, please do the following:
On the server account, open a cmd and check the SPN list:
setspn -L NTNET\<domain-account>
If you cannot see HTTP/<yourhostname>
then you should add it. (It is a sysadmin task).
setspn -a HTTP/<yourhostname.domain.url> NTNET\<domain-account>
Please check and review this part of my doc:
https://github.com/jlguenego/node-expose-sspi/blob/master/doc/Kerberos.md