tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: SSO fails on Tomcat 9
Date Wed, 04 Sep 2019 09:09:06 GMT

I have just completed the tests and SPNEGO works as expected with both
Tomcat 8.5.x and 9.0.x.

The test environment was as per:

with the following changes:
- Updated the Domain Controller and Tomcat instance with all the latest
  patches from Windows update
- Oracle Java 1.8.0u162 / Adopt OpenJDK Java 11.0.4_11 (tested Tomcat
  running under both)
- Tomcat 8.5.x, Tomcat 9.0.x (current HEAD at the time of writing),
  9.0.24 (from the tag)

The test environment uses separate CATALINA_HOME / CATALINA_BASE so the
Tomcat instance configuration (CATALINA_BASE) is guaranteed to be
identical while I vary the Tomcat binary (CATALINA_HOME) to use.

It looks like there is something not quite right with the Tomcat 9

You could try adding:

in setenv.bat. That might provide some insight although I've had mixed
experience using that to debug SPNEGO issues in the past.


>> Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more strict
than the Tomcat 8 implementation was...
I haven't found any evidence to support the above conclusion at this
point. All the evidence so far (diff of the relevant code and my own
test environment) points to a configuration difference in your Tomcat 9

You mentioned starting and stopping services. I wondered if the change
of default user from "Local System" to "Local Service" had triggered
this issue but that makes no difference.

Looking at your log files in more detail, I do notice a few things:

The above system property is incorrect. It should be:

It won't impact your environment because it appears to be set to the
default. This affects both Tomcat 8 and Tomcat 9.

The conf\krb5.ini does not specify the keytab file. In the config files
in the Tomcat docs this looks like:
default_keytab_name = FILE:c:\apache-tomcat-9.0.x\conf\tomcat.keytab

The debug logs for the authentication processes look very different.
That strongly suggests that the configurations are not the same. I would
concentrated on comparing the configuration of the two systems.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message