Blog: "Invalid Session: (8002)"

Same prob as listed above...the "Error from server: Invalid Session: (8002)" appeared yesterday after the new apple updates came out but before they were installed. Ive tried unbinding/rebinding to AD, restarts of web service/server, repair permissions, and searching the web...almost nothing out there. This box has become key for our students and faculty...

Called Support and got my box working...
Steps that fixed AD authentication issue:
-UnBind
-Disable AD Services
-restart server
-Enable AD services
-Re-Bind (if AD Bind works, wiki/blog authetication should also work)
*Note problem caused by either Safari 3.1 or 10.5.2 security update

I've had the exact same problem about 5 times - I get it resolved and it works for a few weeks then comes back. Different solutions each time too it seems. Sometimes a restart fixes it, another time restarting the teams server worked. Another time unbinding and rebinding did the trick. The last time after I unbound there was no way to rebind - ended up backing things up and reinstalling from scratch, then manually restoring everything again... what a pain.

And now it's happened again. Was working fine last night, not today... I can go into Terminal and do a dscl localhost and browse Active Directory no problem... But I get that #$@#$#@ error from the Wiki server when I try to log in as an AD user. When I tried to unbind I get an error message that it can't contact the Domain controller (which seems strange since I can browse and read info on AD users no problem.).

To be honest I'm getting extremely annoyed with this problem (and the numerous other Leopard server issues I've seen). This release of OS X was definitely not ready. Perhaps 10.5.3 will make things ready for real deployment.

I am also now having this problem and I am running 10.5.3!!! Any help would be appreciated. I will be at the WWDC conference next week. Hopefully, I can get someone there to take a look at it with me.

Has anyone found a solution to this? I just set up my wiki services to use SSL so we could authenticate against our Active Directory server and we are frequently getting this error too. We are running 10.5.5 (9e25) beta and it is still happening.

Add me to the list of people seeing this issue. It is EXTREMELY frustrating as it has happened a half dozen times this year. Essentially I get everything configured and working fine and it runs flawlessly for a period of time (usually a month or two), then suddenly starts doing this (8002 session invalid error with AD users).

I've checked my cleartext authentication setting and it's good, I can use dscl to browse Active directory, I can use kinit to get a kerberos ticket, I can id an AD user to get their group membership info, and I can view AD users in Workgroup Manager.

In the wiki error log when I try to authenticate as an AD user and get the 8002 error, I see the following entry:

------------------------------

2008-09-08 11:11:51-0700 [HTTPChannel,11,127.0.0.1] 127.0.0.1 - - [08/Sep/2008:18:11:51 +0000] "POST / HTTP/1.1" 200 1758 "http://wiki.csf.bc.ca/groups/imagepilote/" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10 54; en-us) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.2 Safari/525.20.1"
2008-09-08 11:12:20-0700 [HTTPChannel,12,127.0.0.1] Unhandled Error
Traceback (most recent call last):
File "/usr/share/caldavd/lib/python/twisted/web/http.py", line 598, in requestReceived
self.process()
File "/usr/share/caldavd/lib/python/twisted/web/server.py", line 150, in process
self.render(resrc)
File "/usr/share/caldavd/lib/python/twisted/web/server.py", line 157, in render
body = resrc.render(self)
File "/usr/share/wikid/lib/python/apple xmlrpcserver/WebAppServer.py", line 70, in render
d = defer.maybeDeferred(function, request, *args)
--- <exception caught here> ---
File "/usr/share/caldavd/lib/python/twisted/internet/defer.py", line 107, in maybeDeferred
result = f(*args, **kw)
File "/usr/share/wikid/lib/python/apple xmlrpcserver/WebAppServer.py", line 91, in xmlrpc_login
session = SessionHandler.sessionHandler.sessionForID(session_id)
File "/usr/share/wikid/lib/python/apple_utilities/SessionHandler.py", line 155, in sessionForID
return self. authProvider.avatarForSession(sessionid)
File "/usr/share/wikid/lib/python/apple_utilities/Authentication.py", line 349, in avatarForSession
return self.sessionFactory.getSession(sessionId)
File "/usr/share/wikid/lib/python/apple_utilities/Authentication.py", line 210, in _func
return f(self, *args, **kwargs)
File "/usr/share/wikid/lib/python/apple_utilities/Authentication.py", line 269, in getSession
raise InvalidSessionError(sessionId)
apple_utilities.Authentication.InvalidSessionError: Invalid Session:

--------------------------------

I just went and unbound from Active Directory, archived OD, demoted OD to standalone, disabled AFP and Web services that were running, restarted the server, rebound to AD, made sure AD kerberos was working, promoted to OD master, imported the OD archive, re-enabled the AFP & Web services, redid the teams cleartext auth configuration, stopped then started teams and still got the same error...

Update, got distracted with another task and when I came back this is working again. But something is definitely odd that this issue keeps reoccurring. One thing I thought may be worth looking into is the whole AD computer password thing - my understanding is that the computer has to change it's AD password on a timed schedule - perhaps when this happens it's breaking things? Anyone know how to test that?

Here's hoping we can either get this figured out or Apple fixes it.

One thing I thought may be worth looking into is the whole AD computer password thing - my understanding is that the computer has to change it's AD password on a timed schedule - perhaps when this happens it's breaking things?

I'm far from an expert on Active Directory, but it's been my experience that when an AD password expires, I have to do an unbind, then a rebind to the AD server. I'm using someone else's AD server so I don't know the details - this is just a step I've gotten accustomed to doing. Hopefully someone with more expertise than I will respond.

You mentioned that you did the unbind/rebind, and things didn't work at first, but later did. My experience is that there is a delay that you can get around by stopping/restarting services:

sudo serveradmin stop teams
sudo serveradmin start teams

I'm noticing that others on this thread are using pre-10.5.3 releases. My experience is that for Leopard things in the AD config really didn't seem to function as they should until 10.5.3.

I hope that someone can respond to this thread with more useful info than I've provided.

As this is an intermittent thing, everything I'm saying here (and everyone else above) could be false, but I thought I'd share this:

1. I'm getting the 8002 thing occasionally, only for AD users - the server's an OD master bound to AD, the wiki group is an OD group containing an AD group.
2. I read in another post that a user reported that he never got the problem from FireFox, so I checked and that is not the case for me - getting it in Saf and FF at the same time
3. However I did try logging in from a different machine, and did not get the 8002 for the same user (so I wonder if the chap in question was using FF on a different machine)
4. once I'd successfully logged on on the other machine, I was again able to login on my own machine.

Some guesswork (from someone who only knows enough to be dangerous): "sessions" are a mix of IP address, some cookie, and the user name, with which the wiki server (tries) to keep track of who's sending it what.

A session can get somehow corrupted (another theory: staying logged in too long, esp. as another user) can cause this. Possibly it's actually some failure to log out properly that means the server's unable to give you a new session.

Once corrupted, you may not be able to log in on that machine again, but logging in on another machine makes the wiki server abandon your last session and start anew.

It's all speculation, but these errors are annoying me and I'm determined to kill them, so I'm going to keep looking. If these ideas help anyone else, all the better

OK, for me, logging in as an OD user (I have "testoduser" created for just this purpose) and then back in as the AD user works every time.

(I also note that an incorrect password nets the 8002 error)

Obviously in an environment where you're having trouble getting people to log in under their own identies, this may create more problems than it fixes, but in our fairly civic-minded wiki culture it's a useable workaround.

Further research: someone should see whether logging in on a different workstation also reliably fixes the problem - in my exhaustive sample of 2 it was 100% sucessful.

PG

Has anyone found a solution to this issue. ou server is at 10.5.5 and this error is cropping up