Uploaded image for project: 'Identity Provider'
  1. Identity Provider
  2. IDP-1402

Failed login when user has multiple group memberships in Kerberos

    XMLWordPrintable

    Details

    • Operating System:
      Linux
    • Java Version:
      Oracle Java 8
    • Servlet Container:
      Jetty 9.2

      Description

      When a user belongs to multiple ActiveDirectory groups, the login fails with the error Empty nameStrings not allowed the error in the logs is as follows:

      WARN [org.opensaml.saml.common.binding.SAMLBindingSupport:93] - Relay state exceeds 80 bytes: https://www.google.com/a/XXXXXXX/ServiceLogin?service=mail&passive=true&rm=false&continue=https%3A%2F%2Fmail.google.com%2Fmail%2F&ss=1&ltmpl=default&ltmplcache=2&emr=1&osid=1
      WARN [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstKerberos:226] - Profile Action ValidateUsernamePasswordAgainstKerberos: Login by XXX.XXXXXXXXX produced unknown exception
      java.lang.IllegalArgumentException: Empty nameStrings not allowed
      at sun.security.krb5.PrincipalName.validateNameStrings(PrincipalName.java:167)

       

      If I remove some groups in ActiveDirectory the user can login without problems, but if I add them back the error returns, I have checkd if I have circular groups but couldn't find any.

       

      The sweet spot for number of groups seems to be 5 to 8 which is really small.

       

      What can I do to provide more meaningful information to help correct the error?

        Attachments

          Activity

            People

            Assignee:
            cantor.2@osu.edu Scott Cantor
            Reporter:
            ricardo_manriquez@unitedid.org ricardo_manriquez@unitedid.org
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: