Authentication failed with my Password/SPNEGO MFA configuration

Wessel, Keith kwessel at
Wed Nov 13 10:42:12 EST 2019

Thanks, Scott. I actually didn't want to run SPNEGO outside of MFA at all, but I couldn't get the flow to show up as a button on my login.vm without enabling the flow in

Is there a way to get it to show up as an extended flow listed in the password authn config without also listing it as an active flow?

Regardless, we still do need it as part of our MFA flow as we don't want folks getting in on SPNEGO alone without Duo. It sounds like I hope no hope of that until this bug is addressed. Is that correct?


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Wednesday, November 13, 2019 9:35 AM
To: Shib Users <users at>
Subject: Re: Authentication failed with my Password/SPNEGO MFA configuration

On 11/13/19, 10:25 AM, "users on behalf of Cantor, Scott" <users-bounces at on behalf of cantor.2 at> wrote:

> But...if you wanted to keep it all inside MFA (and you'd need to stop 
> enabling SPNEGO by itself to do that), the bug fix I think you would need is to insert a scripting step that handles the failure from SPNEGO and overwrites a field to clear it.

Actually, I don't think that will work around it, I think the bug runs deeper and the event it's returning is probably an actual event from elsewhere in the state of the request, not that particular slot.

I'll file a bug but I'll have to come up with some reproduction strategy for it to be sure I'm understanding what's wrong.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list