From users-return-268235-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org Tue Sep 3 08:36:46 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id A56F6180637 for ; Tue, 3 Sep 2019 10:36:46 +0200 (CEST) Received: (qmail 82544 invoked by uid 500); 3 Sep 2019 09:55:43 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 82526 invoked by uid 99); 3 Sep 2019 09:55:43 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 03 Sep 2019 09:55:43 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 02B7518108D for ; Tue, 3 Sep 2019 08:36:44 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.501 X-Spam-Level: X-Spam-Status: No, score=0.501 tagged_above=-999 required=6.31 tests=[KAM_NUMSUBJECT=0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-ec2-va.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id f6FvqWFX0SU6 for ; Tue, 3 Sep 2019 08:36:41 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=81.169.250.120; helo=thor.wissensbank.com; envelope-from=aw@ice-sa.com; receiver= Received: from thor.wissensbank.com (thor.wissensbank.com [81.169.250.120]) by mx1-ec2-va.apache.org (ASF Mail Server at mx1-ec2-va.apache.org) with ESMTP id 9D6A6BC7E2 for ; Tue, 3 Sep 2019 08:36:39 +0000 (UTC) Received: from thor.wissensbank.com (localhost [127.0.0.1]) by thor.wissensbank.com (Postfix) with ESMTP id DBAC61E1007F1 for ; Tue, 3 Sep 2019 10:36:32 +0200 (CEST) Received: by thor.wissensbank.com (Postfix, from userid 500) id CFDF91E1007F4; Tue, 3 Sep 2019 10:36:32 +0200 (CEST) Received: from [192.168.245.152] (unknown [188.130.198.139]) (Authenticated sender: andre.warnier@ice-sa.com) by thor.wissensbank.com (Postfix) with ESMTPSA id 302171E1007F1 for ; Tue, 3 Sep 2019 10:36:32 +0200 (CEST) Subject: Re: SSO fails on Tomcat 9 To: users@tomcat.apache.org References: From: =?UTF-8?Q?Andr=c3=a9_Warnier_=28tomcat=29?= Message-ID: <5D6E26B1.9080205@ice-sa.com> Date: Tue, 3 Sep 2019 10:39:13 +0200 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Hello Heidi. Thank you for the complete information provided in your post below. I do not have any experience with the Tomcat SPNEGO Valve per se, but quite a bit of experience with Windows Integrated Authentication. To me, the symptoms that you describe below, do not really look like a problem at the Tomcat level, but more like a problem between the browser and the Windows authentication in general. See notes and questions in the text below. On 02.09.2019 12:35, Heidi Leerink - Duverger wrote: > We have the following problem with connecting from the tomcat environment 9.024 with the > Active Directory of Windows, Kerberos database. (win2008 DC's) > > In Tomcat's log files, with Tomcat8, which gives no problems, it is connected to the > Active directory. > > It indicates that a login attempt is made 3 times whether the person can log in with the > Active directory account. > > After that the login is accepted and qualified as successful. > > In tomcat 9, different versions tried, also version 9.024, the control of 1 attempt > becomes visible, > > which is successful. But then the check is stopped (not 3 times as Tomcat8) and the > connection is marked as unsuccessful. > > The environment for Tomcat9 is the same as from Tomcat8. Q1: Are you sure that it is *exactly* the same ? For example, do the tomcat8 installation, and the tomcat9 installation, run on the same server, and is the server *domain* the same in both cases ? Q2: when "it does not work", does the browser popup a login dialog ? Reason for the questions : Typically, a succesful Windows authentication consists of indeed 3 exchanges (what you say happens with tomcat8). The first of these exchanges consists of the browser requesting the original URL. The server then responds with a 401 response ("need authentication"), in which it indicates that it wants an authentication, of the SPNEGO type. The browser then normally responds with a 2d request for the same URL, containing a partial "Authorization:" header containing some encrypted token. If the browser does NOT send this 2d request, it indicates that *the browser refuses* to do an SPNEGO authentication in this case. And that happens when the browser does not think that the server "can be trusted" for doing SPNEGO authentication. The browser will not trust the server, if it thinks that the server is not in the same domain as itself (unless you have manually added this server in the "trusted servers", at the browser level). Q2: Usually, when the browser refuses to do a WIA authentication, it tries a Basic authentication instead, and this login dialog pops up. With Windows authentication, that is usually the first sign that something is not correct in the browser/server setup. Note: I'm not saying that this IS your problem. But it is the first thing to verify, with WIA authentication. To see this more clearly, you could try to install on the workstation, some software that allows you to trace the HTTP exchanges between the browser and the server (example : Fiddler2), and compare what happens with tomcat8 and tomcat9 (look at the HTTP headers for request/response). > > Windows 10 PRO > > Oracle database rdbms 11.203 > > Apex 4.2.3.008 > > Ords2019 - Oracle listener > > ojdbc6.jar > > Tried both java versions: > > E:\java\jre64b\bin>java -version > > java version "1.8.0_202" > > Java(TM) SE Runtime Environment (build 1.8.0_202-b08) > > Java HotSpot(TM) 64-Bit Server VM (build 25.202-b08, mixed mode) > > And > > E:\java\openjdk\bin>java -version > > openjdk version "11.0.1" 2018-10-16 > > OpenJDK Runtime Environment 18.9 (build 11.0.1+13) > > OpenJDK 64-Bit Server VM 18.9 (build 11.0.1+13, mixed mode) > > Tomcat 9.024 directory structure. > > ( log files in the attachments ) > > e:\Tomcat9\ > > \Cataline\localhost\apex42a.xml > > +++...+++ > > > > > > > loginConfigName="APEX42A" > > /> > > > allRolesMode="authOnly" > > appName="APEX42A" > > /> > > > > +++...+++ > > \conf\jaas.conf > > +++...+++ > > APEX42A { > > com.sun.security.auth.module.Krb5LoginModule required > > doNotPrompt=true > > principal="HTTP/nlsl-decadetst.u4agr.com@U4AGR.COM" > > useKeyTab=true > > keyTab="E:/Decade_appl/Tomcat9/conf/tomcat.keytab" > > storeKey=true; > > }; > > +++...+++ > > \conf\krb5.ini > > +++...+++ > > [libdefaults] > > default_realm = U4AGR.COM > > default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > > default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > > permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 > > dns_lookup_kdc = true > > dns_lookup_relam = false > > [realms] > > U4AGR.COM = { > > kdc = u4agr.com > > default_domain = U4AGR.COM > > } > > [domain_realm] > > .u4agr.com= U4AGR.COM > > u4agr.com= U4AGR.COM > > +++...+++ > > \conf\tomcat.keytab > > Creation statement for tomcat.keytab: > > ktpass /out c:\Temp\tomcat.keytab /mapuser DECADE_SSO_TC.U4AGR.COM /princ > HTTP/nlsl-decadetst.u4agr.com@U4AGR.COM /pass "D3cad3401" /kvno 0 -ptype KRB5_NT_PRINCIPAL > > ktpass /out c:\temp\1c-tomcat.keytab /mapuser DECADE_SSO_TC.U4AGR.COM /princ > HTTP/nlsl-decadetst.u4agr.com@U4AGR.COM /pass "D3cad3401" -crypto All /kvno 0 -ptype > KRB5_NT_PRINCIPAL > > \webapps\apex42a\WEB-INF\web.xml > > +++...+++ > > > > Forbidden > > /oracle/dbtools/jarcl > > > > > > > > APEX42A > > /* > > > > > > * > > > > > > > > SPNEGO > > > > > > index.html > > index.htm > > +++...+++ > > *Met vriendelijke groeten van*** > > *Heidi Leerink - Duverger* > *Technisch Consultant* > > Unit4 > In business for people. > > *Unit4 Business Software Netherlands B.V.* > Papendorpseweg 100, 3710 BJ Utrecht, Netherlands > > *T *+31 88 247 1444 > *E *heidi.duverger@unit4.com > > This message and any attachment(s) are intended only for the use of the named recipient > and may contain information that is privileged, confidential or otherwise exempt from > disclosure under applicable law. If you are not the intended recipient, please notify the > sender by return e-mail and delete this message from your system. Do not disclose the > contents of this document to any other persons. Violation of this notice may be unlawful. > Please note that internet communications are not secure and e-mails are susceptible to > change. Thank you for your cooperation. > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org