[Freeipa-users] Web ui error “Your session has expired. Please re-login.” from a browser on a remote client.

Petr Vobornik pvoborni at redhat.com
Thu Apr 30 10:52:03 UTC 2015 

On 04/25/2015 02:58 AM, Christopher Lamb wrote:
>
> Hi All
>
> I too am suffering from the infamous Web ui error “Your session has
> expired. Please re-login.” using from browser(s) on  remote client(s),
> similar to the existing tickets:
>
> https://www.redhat.com/archives/freeipa-users/2015-March/msg00211.html
> https://www.redhat.com/archives/freeipa-users/2015-February/msg00315.html
> https://www.redhat.com/archives/freeipa-users/2015-April/msg00047.html
>
> We have 2 FreeIPA installations:
> An “Old”, soon to be decommissioned v3.0.0, on OEL 6.5
> The “new” instance, v4.1.0, on a fresh install of OEL 7.0
>
> The error occurs on both instances.
>
> I get the error from OSX and Windows clients (Firefox, Chrome, Safar,i IE
> etc)
> Very sporadically one of the above browsers will “let me in” - If I cycle
> through all the browsers on various workstations / laptops on my desk
> somtimes I get lucky and one will work.
>
> kinit in a ssh session works.
>
> SELinux is disabled.
>
> All IPA Services are running.
>
> I can find no error(s) in /var/log/httpd/error_log
>
> In /var/log/krb5kdc.log I get entries like:
> Apr 25 02:17:44 ldap2.xxx-xx.xx.xx.com krb5kdc[1933](info): TGS_REQ (6
> etypes {18 17 16 23 25 26}) 9.159.8.200: ISSUE: authtime 1429921064, etypes
> {rep=18 tkt=18 ses=18}, yyy at XXX-XX.XX.XX.COM for
> HTTP/bsc-ldap2.xxx-xx.xx.xxx.com at XXX-XX.XX.XXX.COM
> Apr 25 02:17:44 ldap2.xxx-xx.xx.xxx.com krb5kdc[1933](info): closing down
> fd 12
>
> If I enter a wrong password, I correctly get “The password or username you
> entered is incorrect. “, +  errors in /var/log/httpd/error_log
>
> None of the browsers have a krb5 ticket installed.
>
> I get the error with both my user, and the default admin user.
>
>>From the same browsers I can successfully access the Web UI of the public
> demo on https://ipa.demo1.freeipa.org/ipa/ui/
>

Do the machines with browsers have synchronized time with IPA servers?

If a client machine with browser is 20min+ in a future compared to IPA 
server, the browser will treat ipa_session cookie as expired because its 
validity is auth_time + 20 min.

Could you enable server debug logging [1] and send me entries from 
httpd/error_log and krb5kdc.log which were added upon Web UI forms-based 
auth with correct username and password?

[1] 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/server-config.html#server-debug
-- 
Petr Vobornik

More information about the Freeipa-users mailing list