Waffle · dblock · Mar 15, 2018 · Mar 15, 2018
diff --git a/Docs/FAQ.md b/Docs/FAQ.md
@@ -16,28 +16,25 @@ General FAQ
 Troubleshooting Stories
 -----------------------
 
-* [UnsatisfiedLinkerError jnadispatch](https://waffle.codeplex.com/Thread/View.aspx?ThreadId=220195): solved by placing JNA jars in the common classloader.
-* [Browser shows BASIC authentication popup](https://waffle.codeplex.com/Thread/View.aspx?ThreadId=221324): solved by re-ordering authenticators.
-* [ClassNotFoundException on Tomcat](https://waffle.codeplex.com/Thread/View.aspx?ThreadId=223416): solved by putting `waffle-tomcat[tomcat version].jar` in `tomcat/lib`.
-* [ClassNotFoundException on JBoss](https://waffle.codeplex.com/discussions/244552): solved by putt JARs in `application.ear/APP-INF/lib`.
+* [UnsatisfiedLinkerError jnadispatch](faq/UnsatisfiedLinkerErrorjnadispatch.md): solved by placing JNA jars in the common classloader.
+* [Browser shows BASIC authentication popup](faq/BasicPopup.md): solved by re-ordering authenticators.
+* [ClassNotFoundException on Tomcat](faq/ClassNotFoundTomcat.md): solved by putting `waffle-tomcat[tomcat version].jar` in `tomcat/lib`.
+* [ClassNotFoundException on JBoss](faq/ClassNotFoundJBoss.md): solved by putting JARs in `application.ear/APP-INF/lib`.
 * [Popup asking for username/password](https://waffle.codeplex.com/Thread/View.aspx?ThreadId=227969): solved by forcing NTLM, Kerberos not working.
-* [Negotiate authentication returns 404 File Not Found](https://waffle.codeplex.com/Thread/View.aspx?ThreadId=223212): solved by creating a missing `401.html`.
-* [Negotiate tries, but keeps failing with 401](https://waffle.codeplex.com/discussions/254748): solved by creating a proper SPN with `setspn`.
-* [Issues specifying AD groups with Spring-security](https://waffle.codeplex.com/Thread/View.aspx?ThreadId=222735): solved by using the fully qualified user/group name.
-* [Tomcat Manager not working under SSO](https://waffle.codeplex.com/Thread/View.aspx?ThreadId=235759): solved by editing `401.jsp`, [external solution](http://code.dblock.org/ShowPost.aspx?id=147).
-* [Password prompt instead of SSO](https://waffle.codeplex.com/Thread/View.aspx?ThreadId=236554): solved by running Tomcat as `LocalSystem`.
-* [Struts application not accepting multipart/form-data](https://waffle.codeplex.com/Thread/View.aspx?ThreadId=236540): solved by removing a legacy security constraint.
-* [Server returns 401 Access Denied with the AP_ERR_MODIFIED error code](https://waffle.codeplex.com/Thread/View.aspx?ThreadId=243106): solved by running server as a service with a domain account.
-* [Failed to create temporary file for jnidispatch library](https://waffle.codeplex.com/Thread/View.aspx?ThreadId=243500): `java.io.IOException`: solved by recreating Tomcat temp dir.
-* [com.sun.jna.platform.win32.Win32Exception](https://waffle.codeplex.com/Thread/View.aspx?ThreadId=244126): the logon attempt failed: solved by enabling Kerberos logging and [KB957097](https://support.microsoft.com/kb/957097).
-* [Cannot find where to enable WAFFLE logging in JBoss](https://waffle.codeplex.com/Thread/View.aspx?ThreadId=244399&ANCHOR#Post560814): solved by locating application's `log4j.xml`.
-* [NTLM fails with an Apache / AJP front-end](https://waffle.codeplex.com/Thread/View.aspx?ThreadId=244329): solved by properly forwarding port number and re-enabling `keep-alive` in Apache `mod_ssl`.
-* [IE6 NTLM fails with an Apache front-end with SSL](https://waffle.codeplex.com/discussions/267605): solved by enabling `keep-alive` in Apache `mod_ssl`.
-* [java.lang.NoClassDefFoundError: org/apache/juli/logging/LogFactory with Jetty and JAAS](https://waffle.codeplex.com/Thread/View.aspx?ThreadId=214211): solved by specifying JAAS realms in Jetty configuration.
-* [HTTP/1.1 400 Bad Request](https://waffle.codeplex.com/discussions/222438): Kerberos ticket was longer than 4K, solved by increasing `maxHttpHeaderSize`.
-* [Negotiate fails with a load-balancer](https://waffle.codeplex.com/discussions/271250): needs some DNS work and a proper SPN.
-* [java.lang.IllegalStateException](https://waffle.codeplex.com/discussions/288877): Cannot create a session after the response has been committed error with Spring Security: resolved by disabling `SessionFixationProtectionFilter`.
-* [Waffle returns service user as remote user](https://waffle.codeplex.com/discussions/346411): fixed by un-saving a user name and password on a local computer.
+* [Negotiate tries, but keeps failing with 401](faq/NegotiateFailsWith401.md): solved by creating a proper SPN with `setspn`.
+* [Issues specifying AD groups with Spring-security](faq/ADGroupsSpringSecurity.md): solved by using the fully qualified user/group name.
+* [Tomcat Manager not working under SSO (External Link)](http://code.dblock.org/ShowPost.aspx?id=147): solved by editing `401.jsp`.
+* [Password prompt instead of SSO](faq/PassPromptInsteadOfSSO.md): solved by running Tomcat as `LocalSystem`.
+* [Struts application not accepting multipart/form-data](faq/NotAcceptingMultipartData.md): solved by removing a legacy security constraint.
+* [Server returns 401 Access Denied with the AP_ERR_MODIFIED error code](faq/AP_ERR_MODIFIED.md): solved by running server as a service with a domain account.
+* [Failed to create temporary file for jnidispatch library](faq/TempFileFailed): `java.io.IOException`: solved by recreating Tomcat temp dir.
+* com.sun.jna.platform.win32.Win32Exception: the logon attempt failed: solved by enabling Kerberos logging and [KB957097](https://support.microsoft.com/kb/957097).
+* [Cannot find where to enable WAFFLE logging in JBoss](faq/JBossLogging.md): solved by locating application's `log4j.xml`.
+* [NTLM fails with an Apache / AJP front-end](faq/AJP.md): solved by properly forwarding port number and re-enabling `keep-alive` in Apache `mod_ssl`.
+* [HTTP/1.1 400 Bad Request](faq/BadRequest.md): Kerberos ticket was longer than 4K, solved by increasing `maxHttpHeaderSize`.
+* [Negotiate fails with a load-balancer](faq/LoadBalancer.md): needs some DNS work and a proper SPN.
+* [java.lang.IllegalStateException](faq/SessionTimeouts.md): Cannot create a session after the response has been committed error with Spring Security: resolved by disabling `SessionFixationProtectionFilter`.
+* [Waffle returns service user as remote user](faq/ServiceUserAsRemoteUser.md): fixed by un-saving a user name and password on a local computer.
 * [Issues with servlet filter on multiple Tomcat 7 Instances Sharing WAFFLE binaries](https://groups.google.com/forum/?fromgroups#!topic/waffle-users/4_K_O7BCn-c): solved by putting filter-mapping in the application's web.xml, also answered by [Tomcat bug 51754](https://issues.apache.org/bugzilla/show_bug.cgi?id=51754#c1).
 * [Waffle returns outdated nonexistent user name after the user name was changed on domain](faq/ClearLSACacheToAvoidOutdatedPrincipalNames.md): solved by clearing the server LSA cache through the Windows registry according to MS Kbase article.
 * [Status 401 (error code 80090308) when using .NET client and HTTP 1.0 protocol](https://groups.google.com/d/msg/waffle-users/Nisu-m19_nI/HLgaNhfBEw4J): solved by using default protocol version in .NET HttpWebRequest
@@ -47,4 +44,4 @@ Troubleshooting Stories
 Troubleshooting Help
 ----------------------
 
-* See [Troubelshooting](https://github.com/dblock/waffle/blob/master/Docs/Troubleshooting.md)
+* See [Troubleshooting](https://github.com/dblock/waffle/blob/master/Docs/Troubleshooting.md)
diff --git a/Docs/faq/400BadRequest.md b/Docs/faq/400BadRequest.md
@@ -0,0 +1,96 @@
+# HTTP/1.1 400 Bad Request
+
+## Question
+
+I'm using the waffle.servlet.NegotiateSecurityFilter with the following configuration.
+```xml
+<filter>
+    <filter-name>SecurityFilter</filter-name>
+    <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
+    <init-param>
+        <param-name>allowGuestLogin</param-name>
+        <param-value>false</param-value>
+    </init-param>
+</filter>
+<filter-mapping>
+    <filter-name>SecurityFilter</filter-name>
+    <url-pattern>/*</url-pattern>
+</filter-mapping>
+```
+In my test scenarios everything worked as expected.
+
+Now I'm using it in a different environment and I'm having some problems. Two different browsers access my application. Client A is authenticated successfully but Client B is not authenticated (Internet Explorer cannot display the webpage"). Because of some restrictions it's not possible to disable the "friendly" http error messages in IE but I suspect that it is HTTP 401.
+
+Client A and Client B are both using Windows XP SP2 with IE6 in the same domain and same logon server.
+
+The logfile shows for Client B (the one which is not working) just the line "authorization required" and nothing more.
+
+The Browser shows for Client A "Local Intranet" and for Client B "Internet". If I deactivate the NegotiateSecurityFilter and the clients logon manually, both Browsers show "Local Intranet".
+
+The next step was, that I reactivated the old jcifs.http.NtlmHttpFilter and the SSO worked sucessfully for both Clients.
+
+Then I changed the waffle filter configuration to the following (first NTLM, second Negotiate):
+
+```xml
+<filter>
+    <filter-name>SecurityFilter</filter-name>
+    <filter-class>waffle.servlet.NegotiateSecurityFilter</filter-class>
+    <init-param>
+        <param-name>allowGuestLogin</param-name>
+        <param-value>false</param-value>
+    </init-param>
+    <init-param>
+        <param-name>waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols</param-name>
+        <param-value>
+        NTLM
+            Negotiate
+        </param-value>
+    </init-param>
+</filter>
+<filter-mapping>
+    <filter-name>SecurityFilter</filter-name>
+    <url-pattern>/*</url-pattern>
+</filter-mapping>
+```
+
+This configuration works fine for Client A and B. Both clients are sucessfully authenticated using waffle.
+
+Any idea what's going on here? Is this configuration the better default configuration?
+
+# Answer
+> It looks like your client B won't do Kerberos, but is happy to do NTLM. This is confirmed with your NtlmHttpFilter that only does that. Client B gets Authorization: Negotiate (and others), then tries to do something with Kerberos, fails and doesn't fall back to NTLM.
+
+> First you should verify the above by looking at the HTTP trace (try IEHttpHeaders). Your client B will make a single request, then do nothing about it.
+
+> I would then check that client B has the exact same security settings. Specifically Tools->Internet Options->Advanced->Security, start with "Enable Integrated Windows Authentication". Then all the other settings.
+
+> Your client B thinks that the server is not in the intranet. What's the URL? Maybe it has saved it as being in the internet zone, try re-adding this server to the Intranet zone and maybe resetting the security zones altogether.
+
+> Then, try wfetch, see http://support.microsoft.com/default.aspx?scid=kb;en-us;284285. It should hopefuly tell you what the client side problem with Kerberos is.
+
+Currently I'm experimenting with Kerberos authentication (value "Negotiate" for the parameter "waffle.servlet.spi.NegotiateSecurityFilterProvider/protocols"). I found this article http://support.microsoft.com/kb/327825/en-us "Problems with Kerberos authentication when users belong to many groups" and I assume it may be the reason for my old problem (Client A works with Kerberos, Client B doesn't). In Tomcat the default maximum size of the request and response HTTP header is 4096 (4 KB). If the Kerberos ticket is larger, it doesn't fit in the header and the authentication fails. So, to workaround this it's necessary the modify the server.xml in Tomcat and add a "maxHttpHeaderSize" attribute to the Connector (e.g. value 32768 for 32 KB or 16384 for 16 KB).
+
+```xml
+<Connector port="8080" protocol="HTTP/1.1" 
+            connectionTimeout="20000" 
+            redirectPort="8443" 
+            maxHttpHeaderSize="32768" />
+```
+
+I just had a case where the Kerberos ticket was 4349 bytes and the authentication failed. The logfile of the Apache Tomcat server ends with the following line:
+
+waffle.servlet.NegotiateSecurityFilter - authorization required
+
+The ieHttpHeaders console on the client in IE shows:
+
+```
+HTTP/1.1 400 Bad Request
+Server: Apache-Coyote/1.1
+Transfer-Encoding: chunked
+Date: Wed, 02 Mar 2011 16:01:12 GMT
+Connection: close
+```
+
+The solution is to increase the maxHttpHeaderSize for the Connector, as I wrote before.
+
+I haven't looked at the NegotiateSecurityFilter source code, but maybe it's possible to show a better error message for this case.
diff --git a/Docs/faq/ADGroupsSpringSecurity.md b/Docs/faq/ADGroupsSpringSecurity.md
@@ -0,0 +1,28 @@
+# Issues specifying AD groups with Spring-security
+----
+
+## Question
+
+Using Waffle (Tomcat/JAAS), how do I limit access to a group. 
+
+Say I have an AD  structure with a group named "LocalDevelopers"
+
+How do I limit access to that group?
+
+## Answer
+
+With a plain security-constraint. Waffle inserts every group name as a "role".
+The group should be pre-fixed with the domain name.
+
+```xml
+<security-constraint>
+    <display-name>Waffle Security Constraint</display-name>
+    <web-resource-collection>
+      <web-resource-name>Protected Area</web-resource-name>
+      <url-pattern>/*</url-pattern>
+    </web-resource-collection>
+    <auth-constraint>
+      <role-name>MyDomain\LocalDevelopers</role-name>
+    </auth-constraint>
+</security-constraint>
+```