I just added Traefik to a project that I'm working on, and when I'm trying to login I get a 401 Unauthorized. The authentication process was working fine before.
The authentication is an sso based on SPNEGO, Kerberos and ldap.
I logged in the login service the header params that I receive in the request:
host<=>serverB:7012
user-agent<=>Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
accept<=>application/json, text/plain, */*
accept-encoding<=>gzip, deflate, br
accept-language<=>fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,ar;q=0.6
cache-control<=>no-cache
expires<=>Sat, 01 Jan 2000 00:00:00 GMT
origin<=>https://serverA:8780
pragma<=>no-cache
referer<=>https://serverA:8780/
sec-ch-ua<=>"Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
sec-ch-ua-mobile<=>?0
sec-ch-ua-platform<=>"Windows"
sec-fetch-dest<=>empty
sec-fetch-mode<=>cors
sec-fetch-site<=>cross-site
x-b3-flags<=>0
x-b3-parentspanid<=>5b4839cd01e98d27
x-b3-sampled<=>true
x-b3-spanid<=>1e2966464c9de98d
x-b3-traceid<=>5ebea177a90c149f985d142fd4065369
x-forwarded-for<=>10.19.48.61
x-forwarded-host<=>serverB:7012
x-forwarded-port<=>7012
x-forwarded-proto<=>https
x-forwarded-server<=>serverB
x-real-ip<=>x.x.x.x // clientHostIp
From chrome I have :
- Request header :
Access-Control-Allow-Credentials:true
Access-Control-Allow-Origin:https://serverA:8780
Access-Control-Expose-Headers:Content-type, Authorization
Cache-Control:no-cache, no-store, max-age=0, must-revalidate
Content-Length:150
Content-Type:application/json;charset=UTF-8
Date:Tue, 18 Jul 2023 12:04:08 GMT
Expires:0
Pragma:no-cache
Strict-Transport-Security:max-age=31536000 ; includeSubDomains
Vary:Access-Control-Request-Headers
Vary:Access-Control-Request-Method
Vary:Origin
Www-Authenticate:Negotiate
X-Content-Type-Options:nosniff
X-Frame-Options:DENY
X-Xss-Protection:1; mode=block
- Response header :
:Authority:serverB:7012
:Method:GET
:Path:/Auth/security/login
:Scheme:https
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate, br
Accept-Language:fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7,ar;q=0.6
Cache-Control:no-cache
Expires:Sat, 01 Jan 2000 00:00:00 GMT
Origin:https://serverA:8780
Pragma:no-cache
Referer:https://serverA:8780/
Sec-Ch-Ua:"Not.A/Brand";v="8", "Chromium";v="114", "Google Chrome";v="114"
Sec-Ch-Ua-Mobile:?0
Sec-Ch-Ua-Platform:"Windows"
Sec-Fetch-Dest:empty
Sec-Fetch-Mode:cors
Sec-Fetch-Site:cross-site
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
My toml file :
logLevel = "DEBUG"
[traefikLog]
filePath = "/xxx/binaries/traefik/logs/traefik.log"
[accessLog]
filePath = "/xxx/binaries/traefik/logs/access.log"
defaultEntryPoints = ["http"]
[entryPoints]
[entryPoints.http]
address = ":7012"
[entryPoints.http.tls]
[[entryPoints.http.tls.certificates]]
certFile = "path-to-crt-file/traefik.crt"
keyFile = "path-to-key-file/traefik.key"
[entryPoints.admin]
address = "serverB:8081"
[entryPoints.admin.auth]
[entryPoints.admin.auth.basic]
users = ["admin:{SHA}0y9IVHbX4ddz5zd4z5I="]
[entryPoints.ping]
address = "serverB:8082"
[api]
entrypoint="admin"
[api.statistics]
RecentErrors = 10
[ping]
entryPoint = "ping"
[consulCatalog]
endpoint = "xx.xx.xx.xx:8500"
watch = true
prefix = "traefik"
[tracing]
backend = "zipkin"
serviceName = "traefik"
[tracing.zipkin]
httpEndpoint = "http://server:9411/api/v1/spans"
debug = false
Also, I have this error in the Auth service logs:
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Mon Jul 17 17:29:45 CEST 2023 1689607785000
suSec is 379445
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/xxx@xx
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
Authentication is still working fine when I call the service directly without passing by Traefik
Should I use forwardAuth or there are some things messing with Traefik config?
Thank you for your help and time.