tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier (tomcat)>
Subject Re: SSO fails on Tomcat 9
Date Fri, 06 Sep 2019 10:14:54 GMT
Hi Heidi.

We have kind of a conundrum here :

- Mark (who is one of the main tomcat developers) tested the SPNEGO (Kerberos) 
authentication under both tomcat8 and tomcat9, using the standard instructions provided in

the respective on-line tomcat documentation pages, and reported that it works in both cases.

- You report that your installation works with tomcat8, but not with tomcat9, and that you

are using the same infrastructure and the same parameters in both cases.
(Someone else also reported a case with problems with tomcat9).

- The description of your problem (and the tomcat9 logfiles) seems to indicate a problem 
with the Kerberos "pre-authentication".
(These lines of the log :

...	 error code is 25
	 error Message is Additional pre-authentication required

And based on my own previous experience with Windows authentication in general (but not 
Kerberos), it is also my impression that your problem is at the Kerberos level, not really

at the tomcat level.
I have looked for "Kerberos Additional pre-authentication required" in the www, and 
despite the fact that I do not really know Kerberos, it seems that the error message above

indicates that your browser and the server cannot even agree between them, to actually 
start exchanging Kerberos tokens (keys) between them, to complete a Kerberos authentication.
(And that may be why you see a single 401 response in your logs, and why SPNEGO 
immediately concludes that the user is not authenticated).

(There are also lines in that logfile, which seem to hint at some DNS (name resolution) 
issue, but that may be a false alarm or a secondary issue).

One way to reconcile the above conflicting information, would be if for example some 
SPNEGO Valve parameter, in your configuration, would be unspecified and defaulting to some

value in your case, and a different value in Mark's case.
(Or vice-versa, that you are specifying a value, and Mark is using the default, and the 
result is not the same.)
Another possibility would be that the available (or default) encryption methods are 
different between tomcat8 and tomcat9 (or between different browsers), and that in your 
case and Mark's, the browser and the server arrive at different encryption choices and 
cannot agree on a common one.

It may be useful for you and Mark to compare in detail, the settings which you use for the

SPNEGO Valve (and/or for encryption ?).

Another very vague (and maybe wrong) suspicion that I would have is based on some questions
- does the tomcat hostname play a role in the Kerberos authentication ?
- if yes, does the SPNEGO Valve obtain this name via some ".getServerName()"-like method,

whose result may be different under tomcat8 and tomcat9 in some circumstances ?

On 05.09.2019 22:10, Heidi Leerink - Duverger wrote:
> Hello Mark,
> I have spent a lot of time comparing both T8 and T9 installations on de
> Sorry but I can't find a major difference in the conf file, apart from differences Tomcat
itself came with in the conf files.
> The stdout is mainly the same and the stderr show in Tomcat 8 hduverge authenticated
and in Tomcat 9 not authenticated.
> I'm lost now I have no ideas left where to look for differences or how to find a solution
for this major issue.
> Attached once again the files from our Tomcat 8 and Tomcay 9 installation.
> Met vriendelijke groeten van
> Heidi Leerink - Duverger
> Technisch Consultant
> Met vriendelijke groeten van
> Heidi Leerink - Duverger
> Technisch Consultant
> In business for people.
> Unit4 Business Software Netherlands B.V.
> Papendorpseweg 100, 3710 BJ Utrecht, Netherlands
> T  +31 88 247 1444
> E
> This message and any attachment(s) are intended only for the use of the named recipient
and may contain information that is privileged, confidential or otherwise exempt from disclosure
under applicable law. If you are not the intended recipient, please notify the sender by return
e-mail and delete this message from your system. Do not disclose the contents of this document
to any other persons. Violation of this notice may be unlawful. Please note that internet
communications are not secure and e-mails are susceptible to change. Thank you for your cooperation.
> -----Original Message-----
> From: Mark Thomas []
> Sent: woensdag 4 september 2019 11:09
> To:
> Subject: Re: SSO fails on Tomcat 9
> Heidi,
> I have just completed the tests and SPNEGO works as expected with both Tomcat 8.5.x and
> The test environment was as per:
> with the following changes:
> - Updated the Domain Controller and Tomcat instance with all the latest
>    patches from Windows update
> - Oracle Java 1.8.0u162 / Adopt OpenJDK Java 11.0.4_11 (tested Tomcat
>    running under both)
> - Tomcat 8.5.x, Tomcat 9.0.x (current HEAD at the time of writing),
>    9.0.24 (from the tag)
> The test environment uses separate CATALINA_HOME / CATALINA_BASE so the Tomcat instance
configuration (CATALINA_BASE) is guaranteed to be identical while I vary the Tomcat binary
> It looks like there is something not quite right with the Tomcat 9 configuration.
> You could try adding:
> in setenv.bat. That might provide some insight although I've had mixed experience using
that to debug SPNEGO issues in the past.
> <snip/>
>>> Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more strict
than the Tomcat 8 implementation was...
> I haven't found any evidence to support the above conclusion at this point. All the evidence
so far (diff of the relevant code and my own test environment) points to a configuration difference
in your Tomcat 9 installation.
> You mentioned starting and stopping services. I wondered if the change of default user
from "Local System" to "Local Service" had triggered this issue but that makes no difference.
> Looking at your log files in more detail, I do notice a few things:
> The above system property is incorrect. It should be:
> It won't impact your environment because it appears to be set to the default. This affects
both Tomcat 8 and Tomcat 9.
> The conf\krb5.ini does not specify the keytab file. In the config files in the Tomcat
docs this looks like:
> default_keytab_name = FILE:c:\apache-tomcat-9.0.x\conf\tomcat.keytab
> The debug logs for the authentication processes look very different.
> That strongly suggests that the configurations are not the same. I would concentrated
on comparing the configuration of the two systems.
> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message