tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject Re: Tomcat6+ISAPI+IIS+Integrated Authentication+Large User
Date Sat, 18 Oct 2008 19:19:20 GMT
Scrumpy Jack schrieb:
> Hi
> I'm trying to resolve an issue with Integrated Authentication when a user
> with a large Group Membership tries to access a site served by Tomcat via
> IIS ISAPI Redirect.
> For all other users, access is fine. For users with 70+ Windows groups, they
> are failing to be redirected and are getting a 500 error. Basic
> Authentication works fine.
> Tomcat 6
> IIS 6.0 on Windows 2003
> ISAPI 1.2.26 
> 32 bit
> Access to IIS for the same users (i.e. with no ISAPI filter) is fine. We
> have explored various Kerberos package size options in initial
> troubleshooting, but once we realized that IIS alone worked fine, it now
> appears that whatever is being passed to the ISAPI filter via IIS as part of
> the Authentication process is exceeding some buffer. The user is prompted
> for credentials (but shouldn't be) and will fail to get access regardless of
> what is typed. IE classifies site as Internet, when it isn't (And doesn't
> get mistrated for other users - i.e. Shows as Local Intranet and no user
> prompt appears)
> Can anyone point me in the direction of settings that increase buffer (?)
> settings related to Integrated Authentication? Any ideas as to where I
> should focus? (i.e. the ISAPI Filter config end, or Tomcat end?)

If you can easily reproduce on a test system, set log_level to trace and
reproduce with a single request. Then show us your log_file.

It is possible, that the informagtion gets forwarded via http headers.
The AJP protocol used between the isapi redirector and Tomcat needs to
send all http headers in a single AJP packet. The default maximum size
of the packet is 8KB. Recent versions of the redirector and of Tomcat
are able to use a higher value. But let's first check, if this is
actually the problem you are runnning into.



To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message