Spnego Kerberos Authentication gives "Request is a replay (34)" error for Windows 7 users

Question

I have setup Spnego authentication on my Tomcat 7 webapp. It works fine for Ubuntu 14.04 and Windows 10 users. However, all users using Chrome/Firefox/IE get the following error:

GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34)) I am unable to identify the root cause for this. How can I debug this issue, since it is specific to Windows 7 users?

Answer 1

In my case, when I work with Solr, this exception is triggered. Then I have made changes to Solrconfig.xml for supporting the Kerberos.

<directoryFactory name="DirectoryFactory" class="solr.HdfsDirectoryFactory">
      <str name="solr.hdfs.home">hdfs://nas.XYZ.lan:8020/user/solr</str>
      <bool name="solr.hdfs.blockcache.enabled">true</bool>
      <int name="solr.hdfs.blockcache.slab.count">1</int>
      <bool name="solr.hdfs.blockcache.direct.memory.allocation">true</bool>
      <int name="solr.hdfs.blockcache.blocksperbank">16384</int>
      <bool name="solr.hdfs.blockcache.read.enabled">true</bool>
      <bool name="solr.hdfs.nrtcachingdirectory.enable">true</bool>
      <int name="solr.hdfs.nrtcachingdirectory.maxmergesizemb">16</int>
      <int name="solr.hdfs.nrtcachingdirectory.maxcachedmb">192</int>
      <bool name="solr.hdfs.security.kerberos.enabled">true</bool>
      <str name="solr.hdfs.security.kerberos.keytabfile">/etc/krb5.keytab</str>
      <str name="solr.hdfs.security.kerberos.principal">solr/[email protected]</str>
  </directoryFactory>

Answer 2

Check whether your server and clients have their clocks synchronized.

Answer 3

I got this issue, when i pass token, which was generated once and reusing the same token in header.

val tokenLoadedOnce=KrbHttpClient.token get.addHeader("Authorization", s"Negotiate $tokenLoadedOnce")

Instead, when i generated token EVERYTIME and added to header, this issue was resolved.

get.addHeader("Authorization", s"Negotiate ${KrbHttpClient.token}")