Heidi, I have just completed the tests and SPNEGO works as expected with both Tomcat 8.5.x and 9.0.x.
The test environment was as per: http://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html with the following changes: - Updated the Domain Controller and Tomcat instance with all the latest patches from Windows update - Oracle Java 1.8.0u162 / Adopt OpenJDK Java 11.0.4_11 (tested Tomcat running under both) - Tomcat 8.5.x, Tomcat 9.0.x (current HEAD at the time of writing), 9.0.24 (from the tag) The test environment uses separate CATALINA_HOME / CATALINA_BASE so the Tomcat instance configuration (CATALINA_BASE) is guaranteed to be identical while I vary the Tomcat binary (CATALINA_HOME) to use. It looks like there is something not quite right with the Tomcat 9 configuration. You could try adding: -Dsun.security.spnego.debug=true in setenv.bat. That might provide some insight although I've had mixed experience using that to debug SPNEGO issues in the past. <snip/> >> Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more >> strict than the Tomcat 8 implementation was... I haven't found any evidence to support the above conclusion at this point. All the evidence so far (diff of the relevant code and my own test environment) points to a configuration difference in your Tomcat 9 installation. You mentioned starting and stopping services. I wondered if the change of default user from "Local System" to "Local Service" had triggered this issue but that makes no difference. Looking at your log files in more detail, I do notice a few things: -Djava.security.krb5.ini=... The above system property is incorrect. It should be: -Djava.security.krb5.conf=... It won't impact your environment because it appears to be set to the default. This affects both Tomcat 8 and Tomcat 9. The conf\krb5.ini does not specify the keytab file. In the config files in the Tomcat docs this looks like: default_keytab_name = FILE:c:\apache-tomcat-9.0.x\conf\tomcat.keytab The debug logs for the authentication processes look very different. That strongly suggests that the configurations are not the same. I would concentrated on comparing the configuration of the two systems. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
