<html><body>Sorry, Notes is playing up, and sent the last before I could type any text! The POST /ipa/session/login_password is successful. but the POST /ipa/session/json and GET /ipa/session/login_kerberos both give 401 unathorized Chris ----- Forwarded by Christopher Lamb/Switzerland/IBM on 02.02.2016 09:46 ----- From: Christopher Lamb/Switzerland/IBM@IBMCH To: Alexander Bokovoy <abokovoy@redhat.com> Cc: freeipa-users@redhat.com Date: 02.02.2016 09:42 Subject: Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your session has expired Sent by: freeipa-users-bounces@redhat.com <hr width="100%" size="2" align="left" noshade style="color:#8091A5; "> <img src="cid:1__=8FBBF5DEDFA3B3B38f9e8a93df938690918c8FB@" width="1716" height="120"> <img src="cid:2__=8FBBF5DEDFA3B3B38f9e8a93df938690918c8FB@" width="16" height="16" alt="Inactive hide details for Alexander Bokovoy ---02.02.2016 09:32:00---On Tue, 02 Feb 2016, Christopher Lamb wrote: >">Alexander Bokovoy ---02.02.2016 09:32:00---On Tue, 02 Feb 2016, Christopher Lamb wrote: > From: Alexander Bokovoy <abokovoy@redhat.com> To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: Petr Vobornik <pvoborni@redhat.com>, freeipa-users@redhat.com, wodel youchi <wodel.youchi@gmail.com> Date: 02.02.2016 09:32 Subject: Re: [Freeipa-users] [Centos7.2 Freeipa 4.2] browser : your session has expired <hr width="100%" size="2" align="left" noshade> <tt> On Tue, 02 Feb 2016, Christopher Lamb wrote: > >Hi Petr > >I get exactly the same behaviour ever so often. We are running IPA server >4.2.0 15.0.1.el7_2.3, (though we got the same problem with earlier releases >too). > >In my case the laptop running Firefox / FreeIPA WebUI, and the OEL Server >running the IPA server have time within seconds / milliseconds of one >another. The server uses NTPD (and has full missile lock on the NTP pool >servers), and the laptop uses whatever OSX uses to keep time accurate. > >As I only need to use the FreeIPA WebUI rarely (every few months or so) the >exact behaviour is difficult to pin down. It seems to work like this: > >a) I will sometimes have access without the "your session has expired" >error. Typically this is when I have not used FreeIPA for a long time >(months). > >b) then some days later, when I revisit the WebUI, the "your session has >expired" error will crop up. > >c) as I have access to several workstations, each with several browsers >installed (IE, FF, Chrome, Safari etc.), I may get luck and find one that >does not give the error (while the others do). > >Just like the OP, the workstations are not FreeIPA hosts (or servers), and >we use login /pw for the WebUI. Can you hit ctrl+shift+I in Firefox (open development console), select 'Network' tab there, hit reload, and explore the requests/responses there when the error is manifested. Unfortunately, there is no way to copy out the whole traffic but you can at least make screenshots. This approach allows you to see what's happening inside the communication without need to decode SSL traffic in Wireshark. -- / Alexander Bokovoy </tt> <tt>-- Manage your subscription for the Freeipa-users mailing list: </tt><tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></tt><tt> Go to </tt><tt><a href="http://freeipa.org">http://freeipa.org</a></tt><tt> for more info on the project</tt> </body></html>