tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat) ...@ice-sa.com>
Subject Re: TOMCAT 8.5.15 - on windows 7 server - Password for Service Username disappears
Date Thu, 06 Jul 2017 18:47:29 GMT
On 06.07.2017 18:17, Fau Buitron wrote:
>
> -----Original Message-----
> From: André Warnier (tomcat) [mailto:aw@ice-sa.com]
> Sent: Thursday, July 06, 2017 12:04 PM
> To: users@tomcat.apache.org
> Subject: Re: TOMCAT 8.5.15 - on windows 7 server - Password for Service Username disappears
>
> Hi.
> On this list, it is preferred/recommended/strongly recommended to respond *below* the
original message, and not to "top post".
> It just makes it easier to follow the normal flow of a conversation.
> See the rules : http://tomcat.apache.org/lists.html#tomcat-users  #6  >
>> -----Original Message-----
>> From: André Warnier (tomcat) [mailto:aw@ice-sa.com]
>> Sent: Thursday, July 06, 2017 11:35 AM
>> To: users@tomcat.apache.org
>> Subject: Re: TOMCAT 8.5.15 - on windows 7 server - Password for
>> Service Username disappears
>>
>> On 06.07.2017 17:13, Fau Buitron wrote:
>>> Hi All,
>>>
>>>        I am running TOMCAT 8.5.15 on a Windows 7 server with SP1. Although it
is not consistent, the password value for the specific username used to run the TOMCAT service
disappears when the service is stop and started again. The starting of the service fails because
the value of the password disappears.
>>>
>>>        Once the password value is re-entered with the password value, the TOMCAT
service starts without any issues, has anyone encountered this issue?
>>>
>>>         I look forward to your response.
>>>
>>>
>>
>> Hi.
>> I have never seen the behaviour which you describe above, although I regularly run
Tomcat as a Service on Windows systems, in multiple customer networks.
>> First, maybe something which you should read :
>> https://wiki.apache.org/tomcat/FAQ/Windows#Q11
>>
>> In a way, this explains why the Tomcat code itself is very unlikely to contain anything
which would modify this Windows user's password. (If anything, it would be the "wrapper"
>> program described in that article.)
>>
>> My guess would be at this point : if the user-id in question is a Windows Domain
user-id, then mybe some Windows network policy is the cause of this password reset.
>> Ask your Windows network sysadmins.
>>
>> Hope this helps.
>>
> On 06.07.2017 17:48, Fau Buitron wrote:
>> Hi Andre,
>>
>>    Thank you for your response and feedback. I had reached out to our windows support
group only to be told that it must be caused by the third party product.
>> What's worse is that all installations of TOMCAT (Stage and Production) encounter
the same behavior when the service itself it stopped.
>>
>>    I was reaching out to the TOMCAT user community in the event that
>> there might be a permission that needs to be granted to a file in which the service
account Username and password might need to be entered.
>>
>>    So I am once again at square one, however, I will follow your suggestion and reach
out to the networking group to see if they can shed light on this situation.
>>
>> Thank you.
>>
>> Fau
>>
>
> Another suggestion : if you have read the article to which I pointed you, you will see
that the "wrapper" program which actually runs the JVM which runs Tomcat, actually stores
its parameters in the Windows Registry.
> It is the same for the userid/password which you enter in the service description.
> So maybe it is not an issue linked to Tomcat per se, but instead due to the fact that
by entering this password, you are modifying the Registry.
> And perhaps there is some network script which regularly removes such changes, when made
by a user who does not have the correct permissions to do so ?
> It may thus be that it is not the Tomcat start/stop per se which resets this password,
but that this happens asynchronously, and that you just notice it when you are trying to restart
Tomcat.
>
> You could try the following experiment :
> - set the password for that user, start Tomcat as usual, and leave it running
> - then, after a suitable pause, try to login to that same workstation, as this Tomcat
user, using the same password which you set.
> If it does not work, then you know that it has nothing to do with stopping Tomcat.
>
> Hi Andre,
>
>     The experiment that you described is exactly what is occurring, except it is not
a TOMCAT user, as it is the actual username and password which is used to run the TOMCAT service
itself.

Yes, that is what I meant. I meant "use the user-id/password that you have configured for

the Tomcat Service, to actually try to login (interactively) to Windows on that machine."

> The TOMCAT service runs, but if the TOMCAT service is stopped (does not occur at all
instances), the password field for the user is no longer present
and needs to be re-entered. I could do
> a search within the registry, however the value for the password will more like be encrypted,
as it appears within the password field of the service logon tab, so is the value of the password
really present?

Indeed it may not be, if this is a domain user, as you seem to indicate below.
Which triggers another question : can you not define a local user on this machine, and use

that one to run Tomcat ? Or, can you not use the default Services user, which is normally

"LocalSystem" or similar ?
(The only reason why you may be forced to use an AD domain user, would be if some 
application running within Tomcat, needs access to some non-local Windows domain resource).

The point of all this is to try to narrow down as much as possible the circumstances under

which this happens (vs does not happen), since the code of Tomcat itself is certainly not

resetting the password of the user-id under which that service is running.

> I am reaching out to the security group to determine if the AD username has similar properties
as other service account username/passwords.
> Thank you for your assistance and response.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message