logging SSO fallback

I'm trying to setup a Foswiki, with LdapContrib doing Single Sign On. It keeps falling back to the normal login, which works like it should with the credentials of a LDAP user.
I can see in the logfiles it falls back to the normal login, but not WHY it does this. Of course I have set the Debug setting to 1.

Is there any way to get more information what it tries to use as SSO 'credentials'?

The Ldap section of Localsite.cfg:

$Foswiki::cfg{Ldap}{AllowChangePassword} = 0;
$Foswiki::cfg{Ldap}{Base} = 'dc=company,dc=local';
$Foswiki::cfg{Ldap}{BindDN} = 'cn=ldap,ou=users,dc=company,dc=local';
$Foswiki::cfg{Ldap}{BindPassword} = 'stupidpassword';
$Foswiki::cfg{Ldap}{CaseSensitiveLogin} = 0;
$Foswiki::cfg{Ldap}{CharSet} = 'utf-8';
$Foswiki::cfg{Ldap}{Debug} = 1;
$Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup, AdminUser, admin, guest';
$Foswiki::cfg{Ldap}{GroupAttribute} = 'cn';
$Foswiki::cfg{Ldap}{GroupBase} = [
'ou=groups,dc=company,dc=local'
];
$Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=group';
$Foswiki::cfg{Ldap}{GroupScope} = 'sub';
$Foswiki::cfg{Ldap}{Host} = 'domaincontroller1.company.local';
$Foswiki::cfg{Ldap}{IPv6} = 0;
$Foswiki::cfg{Ldap}{IgnorePrivateGroups} = 1;
$Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'memberUid';
$Foswiki::cfg{Ldap}{KerberosKeyTab} = '/etc/httpd/conf.d/wiki-http.keytab';
$Foswiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName';
$Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=user';
$Foswiki::cfg{Ldap}{MailAttribute} = 'mail';
$Foswiki::cfg{Ldap}{MapGroups} = 1;
$Foswiki::cfg{Ldap}{MaxCacheAge} = '86400';
$Foswiki::cfg{Ldap}{MemberAttribute} = 'memberUid';
$Foswiki::cfg{Ldap}{MemberIndirection} = 0;
$Foswiki::cfg{Ldap}{MergeGroups} = 0;
$Foswiki::cfg{Ldap}{NormalizeGroupNames} = 0;
$Foswiki::cfg{Ldap}{NormalizeLoginNames} = 1;
$Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$Foswiki::cfg{Ldap}{PageSize} = '500';
$Foswiki::cfg{Ldap}{Port} = '389';
$Foswiki::cfg{Ldap}{Precache} = 1;
$Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'gidNumber';
$Foswiki::cfg{Ldap}{RewriteGroups} = {};
$Foswiki::cfg{Ldap}{RewriteLoginNames} = {};
$Foswiki::cfg{Ldap}{RewriteWikiNames} = {
'^(.*)@.*$' => '$1'
};
$Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
$Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'none';
$Foswiki::cfg{Ldap}{TLSCAFile} = '';
$Foswiki::cfg{Ldap}{TLSCAPath} = '';
$Foswiki::cfg{Ldap}{TLSClientCert} = '';
$Foswiki::cfg{Ldap}{TLSClientKey} = '';
$Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1';
$Foswiki::cfg{Ldap}{TLSVerify} = 'require';
$Foswiki::cfg{Ldap}{UseSASL} = 0;
$Foswiki::cfg{Ldap}{UseTLS} = 0;
$Foswiki::cfg{Ldap}{UserBase} = [
'ou=users,dc=company,dc=local'
];
$Foswiki::cfg{Ldap}{UserMappingTopic} = '';
$Foswiki::cfg{Ldap}{UserScope} = 'sub';
$Foswiki::cfg{Ldap}{Version} = '3';
$Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1;
$Foswiki::cfg{Ldap}{WikiNameAliases} = '';
$Foswiki::cfg{Ldap}{WikiNameAttributes} = 'cn';

-- JanJurkus - 06 Jun 2016

I do have the same problem. Ldap Auth against AD is working properly. But not the SSO side of things. Did you find a solution yet? Whats your webserver log telling about SSO? I can see KerberosLogin messages in my webserver log but then falling back to LdapAuth. But I dont see the reason why it falls back.

As per my understanding the browser will have an auth token from the authenticated computer. This is offered as a session to FosWiki. Then LdapContrib should take this information and valdate against AD if the token is still ok. In case it is, the auth should proceed and login the user.

I'm a bit puzzeld as I dont see useful error messages how to continue troubleshooting. Any thoughts are appreciated. Thanks

-- SebastianWaitz - 20 Sep 2017

No, I haven't found a solution, so I moved on...

-- JanJurkus - 30 Aug 2018

Commenting is disabled while not logged in