This shows you the differences between two versions of the page.
Both sides previous revision
Previous revision
|
Last revision
Both sides next revision
|
tutorial:adm:sso_ad_domain [2020/06/12 16:26] apeterova Header size limit |
tutorial:adm:sso_ad_domain [2020/06/12 16:27] apeterova |
* ''gss\_accept\_sec\_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, Unknown error)'': the client doesn't trust the address of IdM, i.e. it isn't in Trusted sites in Internet Explorer. | * ''gss\_accept\_sec\_context() failed: No credentials were supplied, or the credentials were unavailable or inaccessible (, Unknown error)'': the client doesn't trust the address of IdM, i.e. it isn't in Trusted sites in Internet Explorer. |
* ''gss\_accept\_sec\_context() failed: An unsupported mechanism was requested (, Unknown error)'': the client doesn't trust the address of IdM, i.e. it isn't in Trusted sites in Internet Explorer. (probably) | * ''gss\_accept\_sec\_context() failed: An unsupported mechanism was requested (, Unknown error)'': the client doesn't trust the address of IdM, i.e. it isn't in Trusted sites in Internet Explorer. (probably) |
* ''request failed: error reading the headers'': This happens to users who are members of many AD groups (e.g. more than 100) and use IE. More precisely: the Authorization header (holding Kerberos ticket) is longer than the max size of HTTP headers in the Apache webserver. Some browsers, e.g. Chrome, cuts off the tickets, but IE doesn't. You may increase the limit of the header size in Apache HTTP Server by the [[https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize|LimitRequestFieldSize]] directive. However, the limit may be also on the application server (Apache Tomcat, JBoss). Then you can unset the header so it's not proxied to the application server - put ''RequestHeader unset Authorization'' in the ''/etc/httpd/conf.d/ssl.conf''. | * ''request failed: error reading the headers'' (and HTTP response 400): This happens to users who are members of many AD groups (e.g. more than 100) and use IE. More precisely: the Authorization header (holding Kerberos ticket) is longer than the max size of HTTP headers in the Apache webserver. Some browsers, e.g. Chrome, cuts off the tickets, but IE doesn't. You may increase the limit of the header size in Apache HTTP Server by the [[https://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize|LimitRequestFieldSize]] directive. However, the limit may be also on the application server (Apache Tomcat, JBoss). Then you can unset the header so it's not proxied to the application server - put ''RequestHeader unset Authorization'' in the ''/etc/httpd/conf.d/ssl.conf''. |
* ''failed to verify krb5 credentials: Key table entry not found'': something is wrong with the keytab. Try to compare its version (KVNO) and the version of Kerberos ticket: | * ''failed to verify krb5 credentials: Key table entry not found'': something is wrong with the keytab. Try to compare its version (KVNO) and the version of Kerberos ticket: |
<code> | <code> |