Pound symbol as part of password not being accepted

caleb racey caleb.racey at newcastle.ac.uk
Fri Apr 11 05:36:44 EDT 2014 

It's likely to be nothing to do with shibboleth and more to do with how you authenticate with your back end directory.  Your shibboleth setup has likely a symptom of a wider problem rather than the cause. 

You haven't said how you are authenticating to the backend password store (ldap, kerb)   or what theat store is (Active directory, Novell etc) 

We have had this problem in the past when authenticating to our Active Directory password store.  We confirmed it was an issue with other authentication methods  like mod_auth_kerb .    If I remember correctly it is because the "£"  sign is a 2 bit character   in UTF8 and when that is pushed through some authentication systems (e.g. Kerberos)  they break.

We produced a guide for this http://gfivo.ncl.ac.uk/documents/UsingKerberosticketsfortrueSingleSignOn.pdf    
    I think the key was getting the enctypes of the kerberos keytabs and the Kerberos authentication to align and be one that supports £ signs in password (rc4-hmac)


If you are not using Kerberos then ldap may also have the same issue.


Hope this helps

Cal 




>-----Original Message-----
>From: users-bounces at shibboleth.net [mailto:users-
>bounces at shibboleth.net] On Behalf Of John Baker
>Sent: 09 April 2014 14:52
>To: 'Shib Users'
>Subject: RE: Pound symbol as part of password not being accepted
>
>Hi
>
>We had a similar problem with authentication, not Shibboleth, which was
>found to be caused  by our WiFi network  not accepting the £ or $ symbols in
>passwords for passing on for authentication.
>
>John Baker
>
>ICT Operations Manager
>
>Tel: 01472 875000     Ext: 722     Fax: 01472 875019
>
>EMAIL DISCLAIMER/CONFIDENTIALITY STATEMENT
>This email message and any attachments are confidential and intended for the
>addressee(s) only. If they have come to you in error then you must not
>disclose, copy or distribute the contents to anyone. Please notify sender of
>the error and ensure you delete the message and any attachments from your
>system.
>Franklin College accepts no responsibility for computer viruses and
>recommends that the addressee check for viruses before opening any
>attachments.
>Any views or opinions presented are solely those of the author and do not
>necessarily represent those of Franklin College. The college does not accept
>legal responsibility for those views.
>The Internet is not secure and therefore Franklin College does not accept legal
>responsibility for the contents of this message. Please note that Franklin
>College may intercept inbound and outbound messages.
>-----Original Message-----
>From: users-bounces at shibboleth.net [mailto:users-
>bounces at shibboleth.net] On Behalf Of Morris, Andi
>Sent: 09 April 2014 13:47
>To: 'Shib Users'
>Subject: RE: Pound symbol as part of password not being accepted
>
>To bump and old thread, I'm still getting this issue.
>
>I've added " AddDefaultCharset utf-8" to the bottom of my httpd.conf file in
>Apache 2.2.17, and also " URIEncoding="UTF-8"" into the 8080 and 8443
>connectors in TomCat6.0's server.xml.
>
>The server was restarted after the changes were made, however the problem
>is not resolved.
>
>I have found
>https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass
>which suggests that I can accept these characters by adding the following to
>my login.jsp and rebuild the package:
><meta http-equiv="content-type" content="text/html; charset=iso-8859-1" >
>
>However, I'm not sure whether this will apply to me, as my
>username/password login handler in handler.xml is commented out, in favour
>of ph:RemoteUser and ph:PreviousSession
>
>    <!-- Login Handlers -->
>    <ph:LoginHandler xsi:type="ph:RemoteUser">
>
><ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecifi
>ed</ph:AuthenticationMethod>
>    </ph:LoginHandler>
>
>    <!--  Username/password login handler -->
>    <!--
>    <ph:LoginHandler xsi:type="ph:UsernamePassword"
>                  jaasConfigurationLocation="file://C:\Program Files (x86)\shibboleth-
>idp/conf/login.config">
>
><ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:Passwor
>dProtectedTransport</ph:AuthenticationMethod>
>    </ph:LoginHandler>
>    -->
>
>    <!--
>        Removal of this login handler will disable SSO support, that is it will require
>the user to authenticate
>        on every request.
>    -->
>    <ph:LoginHandler xsi:type="ph:PreviousSession">
>
><ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:Previous
>Session</ph:AuthenticationMethod>
>    </ph:LoginHandler>
>
>Does anyone think that adding this line in to the login.jsp and rebuilding will
>actually help me get rid of this issue?
>
>Cheers,
>Andi
>
>-----Original Message-----
>From: users-bounces at shibboleth.net [mailto:users-
>bounces at shibboleth.net] On Behalf Of Cantor, Scott
>Sent: 26 September 2013 14:53
>To: Shib Users
>Subject: Re: Pound symbol as part of password not being accepted
>
>On 9/26/13 8:48 AM, "Morris, Andi" <amorris at cardiffmet.ac.uk> wrote:
>
>>We¹ve just come across an odd problem here where a user could log into
>>all our remote resources apart from the shibboleth authenticated ones.
>>Upon investigation I could see in the Apache ssl_443_error_log file
>>that the user was being denied  access with an ³unknown user name or
>>bad password² error. I could see that the username being typed was
>>correct from the same log file, and just on a hunch I decided to change
>>the password of the user from something that contained the £ symbol to
>>something  that didn¹t, and suddenly access was granted.
>>
>>Does anybody know the reason for this, and how I can resolve it?
>
>Not really, but seems like some kind of encoding issue between the browser
>and the web server most likely. You'd have to make sure everything is in sync
>on that, including IIRC some settings on the Tomcat connector to control how
>it handles data coming in.
>
>-- Scott
>
>
>--
>To unsubscribe from this list send an email to users-
>unsubscribe at shibboleth.net
>--
>To unsubscribe from this list send an email to users-
>unsubscribe at shibboleth.net
>--
>To unsubscribe from this list send an email to users-
>unsubscribe at shibboleth.net

More information about the users mailing list