Authentication error message, posted by soren poulsen on Tue Mar 15 17:37:19 2011
|
It is very good to have Kerberos authentication available. It is just the error message which is a bit cryptic.
If you enter your Kerberos password once, and later fail to authenticate with a wrong password, you get:
Kerberos error:
Decrypt integrity check failed.
Please check your Kerberos configuration
That is not really urgent!
Soren
|
Re: Authentication error message, posted by Stefan Ritt on Fri Apr 1 16:13:44 2011 
|
| soren poulsen wrote: |
|
It is very good to have Kerberos authentication available. It is just the error message which is a bit cryptic.
If you enter your Kerberos password once, and later fail to authenticate with a wrong password, you get:
Kerberos error:
Decrypt integrity check failed.
Please check your Kerberos configuration
That is not really urgent!
Soren
|
Can you tell me how to reproduce this? If I do it here, I just get back to the login page:
Maybe it has to do with your specific Kerberos implementation? What server are you using?
|
|
Re: Authentication error message, posted by soren poulsen on Mon Apr 11 19:31:23 2011
|
| Stefan Ritt wrote: |
|
| soren poulsen wrote: |
|
It is very good to have Kerberos authentication available. It is just the error message which is a bit cryptic.
If you enter your Kerberos password once, and later fail to authenticate with a wrong password, you get:
Kerberos error:
Decrypt integrity check failed.
Please check your Kerberos configuration
That is not really urgent!
Soren
|
Can you tell me how to reproduce this? If I do it here, I just get back to the login page:
Maybe it has to do with your specific Kerberos implementation? What server are you using?
|
I am sorry but I cannot reproduce this any more. It happened several times when I was testing different kinds of wrong user input to the authentication dialog but now there is no issue any longer. However, there has been other issues lately in this domain and it may be that the Kerberos installation has been patched by our automatic update installation.
Case closed! Thanks anyway for responding.
Soren |
Re: problems with https in Chrome and IE, posted by Andreas Luedeke on Wed Jan 25 10:50:43 2012
|
| Christian Herzog wrote: |
|
[...] we're evaluating elog right now at the Physics Department of ETH Zurich and I'm trying to come up with a good config. One of the first steps of course was to enable SSL/https. With http, all tested browsers work fine, but with https at least Google Chrome 16 and IE 9 do not get past the "unknown certificate" warning and I see "TCP connection broken" errors in the log file. Firefox however works fine. Same behavior on Linux, Mac and Windows (given the browser in question is available). elog server is running on Lucid.[...]
|
 ⇄
Detect language » English
If you want to use https you should know what a certificate is.
Certificates are used to encript the data, but at the same time they are used to identify the host.
ELOG is delivered with a self generated certificate.
This can be used to encript the data, but no certification authority knows this certificate, so nobody can guaratee that you are connected to the right host.
Most browsers will warn you, that nobody did and if you don't care you need to change the security settings of you browser to accept the connection anyway.
The proper way out of this is to buy a certificate from a certification authority. Or to switch off https. (See https://midas.psi.ch/elog/config.html#global SSL option) |
|
Re: problems with https in Chrome and IE, posted by Christian Herzog on Wed Jan 25 14:05:46 2012
|
| Andreas Luedeke wrote: |
|
| Christian Herzog wrote: |
|
[...] we're evaluating elog right now at the Physics Department of ETH Zurich and I'm trying to come up with a good config. One of the first steps of course was to enable SSL/https. With http, all tested browsers work fine, but with https at least Google Chrome 16 and IE 9 do not get past the "unknown certificate" warning and I see "TCP connection broken" errors in the log file. Firefox however works fine. Same behavior on Linux, Mac and Windows (given the browser in question is available). elog server is running on Lucid.[...]
|
⇄
Detect language » English
If you want to use https you should know what a certificate is.
Certificates are used to encript the data, but at the same time they are used to identify the host.
ELOG is delivered with a self generated certificate.
This can be used to encript the data, but no certification authority knows this certificate, so nobody can guaratee that you are connected to the right host.
Most browsers will warn you, that nobody did and if you don't care you need to change the security settings of you browser to accept the connection anyway.
The proper way out of this is to buy a certificate from a certification authority. Or to switch off https. (See https://midas.psi.ch/elog/config.html#global SSL option)
|
we know about certificates, thank you 
The point is that it stops AFTER the point at which I tell the browser to accept the self-signed certificates. I now even got a CACert and the problem remains: FF works, Chrome and IE don't: https://phd-bkp-gw2.ethz.ch:8080/admin/
log says: TCP connection broken
thanks,
-Christian |
|
Re: problems with https in Chrome and IE, posted by Andreas Luedeke on Wed Jan 25 14:48:36 2012
|
| Christian Herzog wrote: |
|
|
Andreas Luedeke wrote:
|
|
|
Christian Herzog wrote:
|
|
[...] we're evaluating elog right now at the Physics Department of ETH Zurich and I'm trying to come up with a good config. One of the first steps of course was to enable SSL/https. With http, all tested browsers work fine, but with https at least Google Chrome 16 and IE 9 do not get past the "unknown certificate" warning and I see "TCP connection broken" errors in the log file. Firefox however works fine. Same behavior on Linux, Mac and Windows (given the browser in question is available). elog server is running on Lucid.[...]
|
⇄
Detect language » English
[...] The proper way out of this is to buy a certificate from a certification authority. Or to switch off https. (See https://midas.psi.ch/elog/config.html#global SSL option)
|
we know about certificates, thank you The point is that it stops AFTER the point at which I tell the browser to accept the self-signed certificates. I now even got a CACert and the problem remains: FF works, Chrome and IE don't: https://phd-bkp-gw2.ethz.ch:8080/admin/
log says: TCP connection broken [...]
|
⇄
Detect language » English
Sorry that I was mis-interpreting your question  Unfortunately I don't know what's wrong with your set-up. I can confirm that I cannot access your logbook with "konquerer", but can access it with "firefox". The "konquerer" (on Scientific Linux 5.7) just gets timed out.
But I can access other SSL/https ELOGs with the konquerer. The problem only occurs with your logbook!
Therefore I would think it is a particular problem of your installation. I have three ideas how to isolate the problem:
- first, I would try to change to the standard port 443. Just in case it is related to some firewall, etc. problem.
- second, I would try another operating system than Ubuntu Lucid. It should work of course with Ubuntu, but if it still doesn't work with the other operating system then many things are already ruled out.
- third, I would try to set-up an apache webserver in front of ELOG. We have it here just for safety reasons. ELOG runs then on some special port and apache connects to it with a reverse proxy.
The latter is a little bit of work (about a day) if you never set-up apache before. Therefore I would try the other two, first.
Good luck!
|
|
Re: problems with https in Chrome and IE, posted by Christian Herzog on Wed Jan 25 15:08:53 2012
|
| Andreas Luedeke wrote: |
|
| Christian Herzog wrote: |
|
|
Andreas Luedeke wrote:
|
|
|
Christian Herzog wrote:
|
|
[...] we're evaluating elog right now at the Physics Department of ETH Zurich and I'm trying to come up with a good config. One of the first steps of course was to enable SSL/https. With http, all tested browsers work fine, but with https at least Google Chrome 16 and IE 9 do not get past the "unknown certificate" warning and I see "TCP connection broken" errors in the log file. Firefox however works fine. Same behavior on Linux, Mac and Windows (given the browser in question is available). elog server is running on Lucid.[...]
|
⇄
Detect language » English
[...] The proper way out of this is to buy a certificate from a certification authority. Or to switch off https. (See https://midas.psi.ch/elog/config.html#global SSL option)
|
we know about certificates, thank you The point is that it stops AFTER the point at which I tell the browser to accept the self-signed certificates. I now even got a CACert and the problem remains: FF works, Chrome and IE don't: https://phd-bkp-gw2.ethz.ch:8080/admin/
log says: TCP connection broken [...]
|
⇄
Detect language » English
Sorry that I was mis-interpreting your question Unfortunately I don't know what's wrong with your set-up. I can confirm that I cannot access your logbook with "konquerer", but can access it with "firefox". The "konquerer" (on Scientific Linux 5.7) just gets timed out.
But I can access other SSL/https ELOGs with the konquerer. The problem only occurs with your logbook!
Therefore I would think it is a particular problem of your installation. I have three ideas how to isolate the problem:
- first, I would try to change to the standard port 443. Just in case it is related to some firewall, etc. problem.
- second, I would try another operating system than Ubuntu Lucid. It should work of course with Ubuntu, but if it still doesn't work with the other operating system then many things are already ruled out.
- third, I would try to set-up an apache webserver in front of ELOG. We have it here just for safety reasons. ELOG runs then on some special port and apache connects to it with a reverse proxy.
The latter is a little bit of work (about a day) if you never set-up apache before. Therefore I would try the other two, first.
Good luck!
|
thanks for the fast resonse.
1) port 433 done. No change
2) compiled elog 2.9.0 on Squeeze and only reused the config file. No change: https://daduke.org:8443/
3) we can do that (and we will) no problem, but I'd like to get it working w/o apache nonetheless
speaking of reverse proxy: we'd like to hook elog to our LDAP server. As there's no LDAP binding built in, is there any way to use apache LDAP auth and then bind to that one?
thanks,
-Christian |
|
Re: problems with https in Chrome and IE, posted by Andreas Luedeke on Wed Jan 25 15:26:04 2012
|
| Christian Herzog wrote: |
|
|
Andreas Luedeke wrote:
|
|
|
Christian Herzog wrote:
|
|
|
Andreas Luedeke wrote:
|
|
|
Christian Herzog wrote:
|
|
[...] we're evaluating elog right now at the Physics Department of ETH Zurich and I'm trying to come up with a good config. One of the first steps of course was to enable SSL/https. With http, all tested browsers work fine, but with https at least Google Chrome 16 and IE 9 do not get past the "unknown certificate" warning and I see "TCP connection broken" errors in the log file. Firefox however works fine. Same behavior on Linux, Mac and Windows (given the browser in question is available). elog server is running on Lucid.[...
|
[...] The proper way out of this is to buy a certificate from a certification authority. Or to switch off https. (See https://midas.psi.ch/elog/config.html#global SSL option)
|
we know about certificates, thank you The point is that it stops AFTER the point at which I tell the browser to accept the self-signed certificates. I now even got a CACert and the problem remains: FF works, Chrome and IE don't: https://phd-bkp-gw2.ethz.ch:8080/admin/
log says: TCP connection broken [...]
|
⇄
Detect language » English
Sorry that I was mis-interpreting your question Unfortunately I don't know what's wrong with your set-up. I can confirm that I cannot access your logbook with "konquerer", but can access it with "firefox". The "konquerer" (on Scientific Linux 5.7) just gets timed out.
But I can access other SSL/https ELOGs with the konquerer. The problem only occurs with your logbook!
Therefore I would think it is a particular problem of your installation. I have three ideas how to isolate the problem:
-
first, I would try to change to the standard port 443. Just in case it is related to some firewall, etc. problem.
-
second, I would try another operating system than Ubuntu Lucid. It should work of course with Ubuntu, but if it still doesn't work with the other operating system then many things are already ruled out.
-
third, I would try to set-up an apache webserver in front of ELOG. We have it here just for safety reasons. ELOG runs then on some special port and apache connects to it with a reverse proxy.
The latter is a little bit of work (about a day) if you never set-up apache before. Therefore I would try the other two, first.
Good luck!
|
thanks for the fast resonse.
1) port 433 done. No change
2) compiled elog 2.9.0 on Squeeze and only reused the config file. No change: https://daduke.org:8443/
3) we can do that (and we will) no problem, but I'd like to get it working w/o apache nonetheless
speaking of reverse proxy: we'd like to hook elog to our LDAP server. As there's no LDAP binding built in, is there any way to use apache LDAP auth and then bind to that one?[...]
|
Okay, I did run out of ideas. I've never tested Chrome, but IE 8 and konquerer works fine here with SSL for our logbooks, but not for your logbook.
Regarding LDAP: you'll either need to convince Stefan Ritt or do it yourself ;-) Stefan did last year a kerberos binding for me: I was lucky that many other people had already asked for the same thing before me.
⇄
Detect language » English
|
|