On 05/09/2019 21:10, Heidi Leerink - Duverger wrote: > Hello Mark, > > I have spent a lot of time comparing both T8 and T9 installations on de > nsl-decadetst.u4agr.com PC. > Sorry but I can't find a major difference in the conf file, apart from > differences Tomcat itself came with in the conf files. > The stdout is mainly the same and the stderr show in Tomcat 8 hduverge > authenticated and in Tomcat 9 not authenticated. > I'm lost now I have no ideas left where to look for differences or how to > find a solution for this major issue. > Attached once again the files from our Tomcat 8 and Tomcat 9 installation.
I took another look and I think the issue is with the JAASRealm configuration rather than with SPNEGO. I think you have been caught out by this change: https://github.com/apache/tomcat/commit/b5ca3e08b8cdd998e22f486293bca6b89e2644e3 Try adding: userClassNames="javax.security.auth.kerberos.KerberosPrincipal" to your JAASRealm configuration in apex42a.xml Mark > > Met vriendelijke groeten van > Heidi Leerink - Duverger > Technisch Consultant > > Met vriendelijke groeten van > Heidi Leerink - Duverger > Technisch Consultant > > > In business for people. > Unit4 Business Software Netherlands B.V. > Papendorpseweg 100, 3710 BJ Utrecht, Netherlands > T +31 88 247 1444 > E heidi.duver...@unit4.com > This message and any attachment(s) are intended only for the use of the named > recipient and may contain information that is privileged, confidential or > otherwise exempt from disclosure under applicable law. If you are not the > intended recipient, please notify the sender by return e-mail and delete this > message from your system. Do not disclose the contents of this document to > any other persons. Violation of this notice may be unlawful. Please note that > internet communications are not secure and e-mails are susceptible to change. > Thank you for your cooperation. > > -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: woensdag 4 september 2019 11:09 > To: users@tomcat.apache.org > Subject: Re: SSO fails on Tomcat 9 > > Heidi, > > I have just completed the tests and SPNEGO works as expected with both Tomcat > 8.5.x and 9.0.x. > > The test environment was as per: > https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftomcat.apache.org%2Ftomcat-9.0-doc%2Fwindows-auth-howto.html&data=01%7C01%7Cheidi.duverger%40unit4.com%7Cc8223b9bd1f34f08008608d731178dde%7Cee137cc45d4343cf9da5f75728b8d21f%7C1&sdata=I%2BJLU837vV78VExqcHdf5Z5MYat2HDEPbNKvpsmq6%2FE%3D&reserved=0 > > with the following changes: > - Updated the Domain Controller and Tomcat instance with all the latest > patches from Windows update > - Oracle Java 1.8.0u162 / Adopt OpenJDK Java 11.0.4_11 (tested Tomcat > running under both) > - Tomcat 8.5.x, Tomcat 9.0.x (current HEAD at the time of writing), > 9.0.24 (from the tag) > > The test environment uses separate CATALINA_HOME / CATALINA_BASE so the > Tomcat instance configuration (CATALINA_BASE) is guaranteed to be identical > while I vary the Tomcat binary (CATALINA_HOME) to use. > > > It looks like there is something not quite right with the Tomcat 9 > configuration. > > You could try adding: > > -Dsun.security.spnego.debug=true > > in setenv.bat. That might provide some insight although I've had mixed > experience using that to debug SPNEGO issues in the past. > > <snip/> > >>> Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more >>> strict than the Tomcat 8 implementation was... > I haven't found any evidence to support the above conclusion at this point. > All the evidence so far (diff of the relevant code and my own test > environment) points to a configuration difference in your Tomcat 9 > installation. > > You mentioned starting and stopping services. I wondered if the change of > default user from "Local System" to "Local Service" had triggered this issue > but that makes no difference. > > Looking at your log files in more detail, I do notice a few things: > > -Djava.security.krb5.ini=... > > The above system property is incorrect. It should be: > > -Djava.security.krb5.conf=... > > It won't impact your environment because it appears to be set to the default. > This affects both Tomcat 8 and Tomcat 9. > > The conf\krb5.ini does not specify the keytab file. In the config files in > the Tomcat docs this looks like: > default_keytab_name = FILE:c:\apache-tomcat-9.0.x\conf\tomcat.keytab > > The debug logs for the authentication processes look very different. > That strongly suggests that the configurations are not the same. I would > concentrated on comparing the configuration of the two systems. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
