The following is a list of issues and resolutions applicable to the HttpSecurityService.
Kerberos specific issues are described separately in Diagnosing and Fixing Issues with Kerberos.
If the HSS logs the following error:
HttpSecurityService: 10.11.12.13:54321: Authn failure: CHANNEL BINDINGS FAILURE: channel bindings did not match bindings.cert.hash, channel bindings not submitted or bindings.cert.hash was not successfully initialized.
This error will be logged if the browser is not using HTTPS (channel bindings are a hash of the TLS / SSL certificate).
Resolution: Use HTTPS. Even a self-signed certificate is better than nothing. Or, if security is not a concern, disable channel binding with bindings.cert.hash.policy = 0.
The most likely cause of this error is that the HTTPS certificate has changed.
Resolution: To fix this issue, run HssSetup on the HSS properties file, select the url) option and re-enter the URL to update the bindings.cert.hash property. Save and exit with the .) option. The HSS should reload the properties file within 5 seconds.
See also: HssSetup bindings.cert.url property option
The less likely cause of this error is that an attacker has compromised the TLS / SSL session.
If the HSS logs the following error:
SPN BINDINGS FAILURE: SPN did not match bindings.targetSpns, SPN not submitted or bindings.targetSpns was not successfully initialized.
This error means that the SPN derived from the hostname of the URL used with the browser or client, did not match any of the SPNs composed from the bindings.targetSpns property and SubjectAltName entries in the HTTPS certificate.
Resolution: Use HssSetup to ensure that the bindings.cert.url and bindings.targetSpns properties are set correctly. If necessary, run HssSetup and select the url) option to re-populate the SPNs.
If clients connect directly to non-HTTPS transport, it may be necessary to add SPNs with port numbers to the bindings.targetSpns property:
For example, if HTTPS is served on port 8443 and non-HTTPS on port 8080, an SPN with port 8080 must be added like:
bindings.cert.url = https://rkyas15.mega.corp:8443 bindings.targetSpns = HTTP/rkyas15.mega.corp,HTTP/rkyas15.mega.corp:8080
Note: The HSS will log the list of SPNs used to check SPN bindings with the first successful authentication after the HSS is initialized.
Set jespa.log.level = 4 and look for the Bindings init success entry like:
Bindings init success: bindingsTargetSpns: [HTTP/rkyas15.mega.corp:8443,HTTP/rkyas15.mega.corp:8080] bindingsCertHash: B065A440F73F84F0B7373D977C3EDE42
If the application server reports the an error like the following:
HTTP ERROR 400 Invalid SNI
URI: https://rkyas15.mega.corp:8443/
STATUS: 400
MESSAGE: Invalid SNI
This error indicates that the supplied URL does not match a SubjectAltName (SAN) entry in the HTTPS certificate.
Resolution: Either use a URL with a hostname that has a SAN entry or update the certificate to include a SAN entry corresponding to the desired URL.
Each unique SPN can only be set on at most one account. If HssSetup detects that an SPN being set is already set on a different account, HssSetup will emit an SPN Constraint Violation and prompt the operator to remove it like:
[EXXX] Constraint Violation The SPN: HTTP/eng15.aero.corp is already set on the account: jespa1$ Remove SPN from account jespa1$? [n] y Successfully removed conflicting SPN
If the SPN is removed from the other account, Kerberos will stop working for any service using the other account.