tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Heidi Leerink - Duverger <heidi.duver...@unit4.com>
Subject RE: SSO fails on Tomcat 9
Date Fri, 06 Sep 2019 12:20:53 GMT
Hello Mark,

That helps somewhat, my browser now shows the login page for our application, BUT I do not
get my username in HTTP variable REMOTE_USER but the principal keytab related name.

So instead of hduverge I get HTTP/nlsl-decadetst.u4agr.com@U$AGR.COM

To be complete this I the keytab creation statement issued by our AD admin:

ktpass /out c:\Temp\tomcat.keytab /mapuser DECADE_SSO_TC@U4AGR.COM /princ HTTP/nlsl-decadetst.u4agr.com@U4AGR.COM
/pass "<passwd>" /kvno 0 -ptype KRB5_NT_PRINCIPAL

Met vriendelijke groeten van
Heidi Leerink - Duverger
Technisch Consultant


In business for people.
Unit4 Business Software Netherlands B.V.
Papendorpseweg 100, 3710 BJ Utrecht, Netherlands
T  +31 88 247 1444
E  heidi.duverger@unit4.com
This message and any attachment(s) are intended only for the use of the named recipient and
may contain information that is privileged, confidential or otherwise exempt from disclosure
under applicable law. If you are not the intended recipient, please notify the sender by return
e-mail and delete this message from your system. Do not disclose the contents of this document
to any other persons. Violation of this notice may be unlawful. Please note that internet
communications are not secure and e-mails are susceptible to change. Thank you for your cooperation.

-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org] 
Sent: vrijdag 6 september 2019 11:55
To: users@tomcat.apache.org
Subject: Re: SSO fails on Tomcat 9

On 05/09/2019 21:10, Heidi Leerink - Duverger wrote:
> Hello Mark,
> 
> I have spent a lot of time comparing both T8 and T9 installations on de nsl-decadetst.u4agr.com
PC.
> Sorry but I can't find a major difference in the conf file, apart from differences Tomcat
itself came with in the conf files.
> The stdout is mainly the same and the stderr show in Tomcat 8 hduverge authenticated
and in Tomcat 9 not authenticated.
> I'm lost now I have no ideas left where to look for differences or how to find a solution
for this major issue.
> Attached once again the files from our Tomcat 8 and Tomcat 9 installation.

I took another look and I think the issue is with the JAASRealm configuration rather than
with SPNEGO.

I think you have been caught out by this change:
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Ftomcat%2Fcommit%2Fb5ca3e08b8cdd998e22f486293bca6b89e2644e3&amp;data=01%7C01%7Cheidi.duverger%40unit4.com%7C1d4983f01ef74742b7fe08d732b03c7d%7Cee137cc45d4343cf9da5f75728b8d21f%7C1&amp;sdata=oHIwRhtka1MiYOIAYg5okvI3BRC0IFNCWaE2oNR%2FZd4%3D&amp;reserved=0

Try adding:

userClassNames="javax.security.auth.kerberos.KerberosPrincipal"

to your JAASRealm configuration in apex42a.xml

Mark


> 
> Met vriendelijke groeten van
> Heidi Leerink - Duverger
> Technisch Consultant
> 
> Met vriendelijke groeten van
> Heidi Leerink - Duverger
> Technisch Consultant
> 
> 
> In business for people.
> Unit4 Business Software Netherlands B.V.
> Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T  +31 88 247 1444 E  
> heidi.duverger@unit4.com This message and any attachment(s) are 
> intended only for the use of the named recipient and may contain information that is
privileged, confidential or otherwise exempt from disclosure under applicable law. If you
are not the intended recipient, please notify the sender by return e-mail and delete this
message from your system. Do not disclose the contents of this document to any other persons.
Violation of this notice may be unlawful. Please note that internet communications are not
secure and e-mails are susceptible to change. Thank you for your cooperation.
> 
> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: woensdag 4 september 2019 11:09
> To: users@tomcat.apache.org
> Subject: Re: SSO fails on Tomcat 9
> 
> Heidi,
> 
> I have just completed the tests and SPNEGO works as expected with both Tomcat 8.5.x and
9.0.x.
> 
> The test environment was as per:
> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftomca
> t.apache.org%2Ftomcat-9.0-doc%2Fwindows-auth-howto.html&amp;data=01%7C
> 01%7Cheidi.duverger%40unit4.com%7C1d4983f01ef74742b7fe08d732b03c7d%7Ce
> e137cc45d4343cf9da5f75728b8d21f%7C1&amp;sdata=K4sjAdNob45pzLu6Y3TqQf6S
> nd%2BeKdzhwaEVhwSY37g%3D&amp;reserved=0
> 
> with the following changes:
> - Updated the Domain Controller and Tomcat instance with all the latest
>   patches from Windows update
> - Oracle Java 1.8.0u162 / Adopt OpenJDK Java 11.0.4_11 (tested Tomcat
>   running under both)
> - Tomcat 8.5.x, Tomcat 9.0.x (current HEAD at the time of writing),
>   9.0.24 (from the tag)
> 
> The test environment uses separate CATALINA_HOME / CATALINA_BASE so the Tomcat instance
configuration (CATALINA_BASE) is guaranteed to be identical while I vary the Tomcat binary
(CATALINA_HOME) to use.
> 
> 
> It looks like there is something not quite right with the Tomcat 9 configuration.
> 
> You could try adding:
> 
> -Dsun.security.spnego.debug=true
> 
> in setenv.bat. That might provide some insight although I've had mixed experience using
that to debug SPNEGO issues in the past.
> 
> <snip/>
> 
>>> Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more strict
than the Tomcat 8 implementation was...
> I haven't found any evidence to support the above conclusion at this point. All the evidence
so far (diff of the relevant code and my own test environment) points to a configuration difference
in your Tomcat 9 installation.
> 
> You mentioned starting and stopping services. I wondered if the change of default user
from "Local System" to "Local Service" had triggered this issue but that makes no difference.
> 
> Looking at your log files in more detail, I do notice a few things:
> 
> -Djava.security.krb5.ini=...
> 
> The above system property is incorrect. It should be:
> 
> -Djava.security.krb5.conf=...
> 
> It won't impact your environment because it appears to be set to the default. This affects
both Tomcat 8 and Tomcat 9.
> 
> The conf\krb5.ini does not specify the keytab file. In the config files in the Tomcat
docs this looks like:
> default_keytab_name = FILE:c:\apache-tomcat-9.0.x\conf\tomcat.keytab
> 
> The debug logs for the authentication processes look very different.
> That strongly suggests that the configurations are not the same. I would concentrated
on comparing the configuration of the two systems.
> 
> Mark
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message