tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: SSO fails on Tomcat 9
Date Wed, 04 Sep 2019 09:09:06 GMT
Heidi,

I have just completed the tests and SPNEGO works as expected with both
Tomcat 8.5.x and 9.0.x.

The test environment was as per:
http://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html

with the following changes:
- Updated the Domain Controller and Tomcat instance with all the latest
  patches from Windows update
- Oracle Java 1.8.0u162 / Adopt OpenJDK Java 11.0.4_11 (tested Tomcat
  running under both)
- Tomcat 8.5.x, Tomcat 9.0.x (current HEAD at the time of writing),
  9.0.24 (from the tag)

The test environment uses separate CATALINA_HOME / CATALINA_BASE so the
Tomcat instance configuration (CATALINA_BASE) is guaranteed to be
identical while I vary the Tomcat binary (CATALINA_HOME) to use.


It looks like there is something not quite right with the Tomcat 9
configuration.

You could try adding:

-Dsun.security.spnego.debug=true

in setenv.bat. That might provide some insight although I've had mixed
experience using that to debug SPNEGO issues in the past.

<snip/>

>> Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more strict
than the Tomcat 8 implementation was...
I haven't found any evidence to support the above conclusion at this
point. All the evidence so far (diff of the relevant code and my own
test environment) points to a configuration difference in your Tomcat 9
installation.

You mentioned starting and stopping services. I wondered if the change
of default user from "Local System" to "Local Service" had triggered
this issue but that makes no difference.

Looking at your log files in more detail, I do notice a few things:

-Djava.security.krb5.ini=...

The above system property is incorrect. It should be:

-Djava.security.krb5.conf=...

It won't impact your environment because it appears to be set to the
default. This affects both Tomcat 8 and Tomcat 9.

The conf\krb5.ini does not specify the keytab file. In the config files
in the Tomcat docs this looks like:
default_keytab_name = FILE:c:\apache-tomcat-9.0.x\conf\tomcat.keytab

The debug logs for the authentication processes look very different.
That strongly suggests that the configurations are not the same. I would
concentrated on comparing the configuration of the two systems.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message