SPNEGO – endless redirect loop
Three of our customers environments had problems from time to time with SPNEGO that stopped working.
Stopped working means the user entered the IBM Connections server URL and ended up in an endless loop (changing from /homepage to NoSpnegoRedirect.html page). Only a AppServer restart could solve the issue – until the error hit the server again after 1 or 2 weeks…
Users without enabled SPNEGO or MAC OSX Users did not have any problem with the system.
The Browser changes from (“Connect” to “Redirect to https://CONNECTIONS.SERVER.COM/NoSpnegoRedirect.html?noSPNEGO) looping very quickly:
to:
We were also able to reproduce the issue by accessing the SPNEGO configuration in WAS-ISC or by adding a node to the cell. Really really strange behaviour.
Anyway we had to open a PMR. The following problem was seen in the trace:
[05/05/14 09:31:20:389 CEST] 00000fc9 ContextManage 3 login failed: com.ibm.websphere.security.auth.WSLoginFailedException: org.ietf.jgss.GSSException, major code: 8, minor code: 0 major string: Credential expired minor string: GSSCredential expired, must login again. "GCCCredential expipred, must login again" - creating the loop over and over again.
After some more time, IBM got back with the following APAR for this:
which solved the problem. Furthermore the problem is fixed in WAS 8.0.0.8 which was then installed on the affected IBM Connections environments (you should have CR4 is installed to use WAS 8.0.0.8).
The workaround for thoses who are not able to install the iFix is to disable “Dynamic SPNEGO configuration updates”…. So do not follow the WIKI:
Just leave it disabled 😉
I`m glad that a fix was found quickly