search

TQsoft-GmbH / mod_authn_ntlm

Apache 2.4 SSPI NTLM based authentication module for windows
Other
85 stars 27 forks source link

user unknown, reason: cannot generate context #11

Open barbuslex opened 8 years ago

barbuslex commented 8 years ago

Hi,

Sometimes the NTLM Authentication stop working (Login/Password prompt to the user) and theses errors appears in apache error.log : 

Mon Dec 07 10:19:52.149006 2015] [auth_ntlm:error] [pid 1492:tid 796] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52659] authentication failure for "/accueil/styles/bootstrap.min.css": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:52.149006 2015] [auth_ntlm:error] [pid 1492:tid 560] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52658] authentication failure for "/accueil/styles/todc-bootstrap.min.css": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:52.149006 2015] [auth_ntlm:error] [pid 1492:tid 684] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52634] authentication failure for "/accueil/img/prepand.png": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:52.149006 2015] [auth_ntlm:error] [pid 1492:tid 556] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52633] authentication failure for "/accueil/styles/style_header.css": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:52.149006 2015] [auth_ntlm:error] [pid 1492:tid 784] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52630] authentication failure for "/accueil/img/chet_bg.png": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:52.164606 2015] [auth_ntlm:error] [pid 1492:tid 740] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52628] authentication failure for "/accueil/img/logo_postes.png": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:52.180206 2015] [auth_ntlm:error] [pid 1492:tid 568] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52646] authentication failure for "/accueil/img/logo_cariatides.png": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:54.722990 2015] [auth_ntlm:error] [pid 1492:tid 584] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52663] authentication failure for "/accueil/img/logo_pps.png": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:54.722990 2015] [auth_ntlm:error] [pid 1492:tid 844] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52664] authentication failure for "/accueil/img/logo_cognos.jpg": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:19:54.738590 2015] [auth_ntlm:error] [pid 1492:tid 760] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52661] authentication failure for "/accueil/img/logo_piwik.png": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:21:18.213655 2015] [auth_ntlm:error] [pid 1492:tid 576] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52725] authentication failure for "/accueil/styles/todc-bootstrap.min.css": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:21:18.213655 2015] [auth_ntlm:error] [pid 1492:tid 820] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52716] authentication failure for "/accueil/styles/bootstrap.min.css": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:21:18.229255 2015] [auth_ntlm:error] [pid 1492:tid 744] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52724] authentication failure for "/accueil/img/logo_webcitrix.jpg": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:21:18.229255 2015] [auth_ntlm:error] [pid 1492:tid 760] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52719] authentication failure for "/accueil/img/logo_office.png": user unknown, reason: cannot generate context, referer: http://*****.com/accueil/
[Mon Dec 07 10:22:27.711209 2015] [fcgid:warn] [pid 1492:tid 760] (OS 10054)Une connexion existante a dû être fermée par l’hôte distant.  : [client 10.0.55.5:4087] mod_fcgid: ap_pass_brigade failed in handle_request_ipc function, referer: http://*****.com/accueil/
[Mon Dec 07 10:25:56.157073 2015] [fcgid:warn] [pid 1492:tid 712] (OS 10054)Une connexion existante a dû être fermée par l’hôte distant.  : [client 10.0.32.52:62076] mod_fcgid: ap_pass_brigade failed in handle_request_ipc function, referer: http://*****.com/glpi/front/tracking.injector.php
[Mon Dec 07 10:26:05.719812 2015] [fcgid:warn] [pid 1492:tid 576] (OS 10054)Une connexion existante a dû être fermée par l’hôte distant.  : [client 10.0.55.5:4106] mod_fcgid: ap_pass_brigade failed in handle_request_ipc function, referer: http://*****.com/annuaire/index.php?pages=blanches&keywords=flipo
[Mon Dec 07 10:26:17.170138 2015] [auth_ntlm:error] [pid 1492:tid 652] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52938] authentication failure for "/annuaire/styles/style_evements.css": user unknown, reason: cannot generate context, referer: http://*****.com/annuaire/index.php?pages=evt
[Mon Dec 07 10:26:17.185738 2015] [auth_ntlm:error] [pid 1492:tid 784] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52932] authentication failure for "/annuaire/img/logo_mini.png": user unknown, reason: cannot generate context, referer: http://*****.com/annuaire/index.php?pages=evt
[Mon Dec 07 10:26:17.185738 2015] [auth_ntlm:error] [pid 1492:tid 660] (OS 87)Paramètre incorrect.  : [client 10.0.8.53:52937] authentication failure for "/annuaire/img/chet_bg.png": user unknown, reason: cannot generate context, referer: http://*****.com/annuaire/index.php?pages=evt

(I hide willingly the domain name)

When i stop and start the apache service the NTLM Authentication working again :S (without errors in error.log in same website pages)

Have you an idea for solve my problem ?

Thanks

YvesR commented 8 years ago

Hello, sadly I do not know why this is happening. Are you sure you can access your domain controller all the time as each request in your setup do a ntlm-authentication?

JBlond commented 8 years ago

There is a longer thread at sourceforge about it

https://sourceforge.net/p/mod-auth-sspi/discussion/550583/thread/d39f90de/

Maybe that helps`?

CharlieReitzel commented 8 years ago

To summarize the other thread and some of my own experimentation, this appears as a symptom if the NTLM handshake does not complete over a single connection. I have found this happens with PUT and POST requests. Thus, the other issue I logged.

vatsake commented 3 years ago

Any updates? For me it happens occasionally (with specific users).

neongrau commented 3 years ago

This isn't really an issue as like that old thread from the sspi module says. NTLM needs a handshake that is quite expensive performance wise.

So it's generally best practice to only use it on an authentication endpoint and use a persisted session for any further connections. Doing authentication on every single request, especially static resources like css and images, is just a bad idea.