Hello Mark, That helps somewhat, my browser now shows the login page for our application, BUT I do not get my username in HTTP variable REMOTE_USER but the principal keytab related name.
So instead of hduverge I get HTTP/nlsl-decadetst.u4agr.com@U$AGR.COM To be complete this I the keytab creation statement issued by our AD admin: ktpass /out c:\Temp\tomcat.keytab /mapuser decade_sso...@u4agr.com /princ HTTP/nlsl-decadetst.u4agr....@u4agr.com /pass "<passwd>" /kvno 0 -ptype KRB5_NT_PRINCIPAL Met vriendelijke groeten van Heidi Leerink - Duverger Technisch Consultant In business for people. Unit4 Business Software Netherlands B.V. Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T +31 88 247 1444 E heidi.duver...@unit4.com This message and any attachment(s) are intended only for the use of the named recipient and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient, please notify the sender by return e-mail and delete this message from your system. Do not disclose the contents of this document to any other persons. Violation of this notice may be unlawful. Please note that internet communications are not secure and e-mails are susceptible to change. Thank you for your cooperation. -----Original Message----- From: Mark Thomas [mailto:ma...@apache.org] Sent: vrijdag 6 september 2019 11:55 To: users@tomcat.apache.org Subject: Re: SSO fails on Tomcat 9 On 05/09/2019 21:10, Heidi Leerink - Duverger wrote: > Hello Mark, > > I have spent a lot of time comparing both T8 and T9 installations on de > nsl-decadetst.u4agr.com PC. > Sorry but I can't find a major difference in the conf file, apart from > differences Tomcat itself came with in the conf files. > The stdout is mainly the same and the stderr show in Tomcat 8 hduverge > authenticated and in Tomcat 9 not authenticated. > I'm lost now I have no ideas left where to look for differences or how to > find a solution for this major issue. > Attached once again the files from our Tomcat 8 and Tomcat 9 installation. I took another look and I think the issue is with the JAASRealm configuration rather than with SPNEGO. I think you have been caught out by this change: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Ftomcat%2Fcommit%2Fb5ca3e08b8cdd998e22f486293bca6b89e2644e3&data=01%7C01%7Cheidi.duverger%40unit4.com%7C1d4983f01ef74742b7fe08d732b03c7d%7Cee137cc45d4343cf9da5f75728b8d21f%7C1&sdata=oHIwRhtka1MiYOIAYg5okvI3BRC0IFNCWaE2oNR%2FZd4%3D&reserved=0 Try adding: userClassNames="javax.security.auth.kerberos.KerberosPrincipal" to your JAASRealm configuration in apex42a.xml Mark > > Met vriendelijke groeten van > Heidi Leerink - Duverger > Technisch Consultant > > Met vriendelijke groeten van > Heidi Leerink - Duverger > Technisch Consultant > > > In business for people. > Unit4 Business Software Netherlands B.V. > Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T +31 88 247 1444 E > heidi.duver...@unit4.com This message and any attachment(s) are > intended only for the use of the named recipient and may contain information > that is privileged, confidential or otherwise exempt from disclosure under > applicable law. If you are not the intended recipient, please notify the > sender by return e-mail and delete this message from your system. Do not > disclose the contents of this document to any other persons. Violation of > this notice may be unlawful. Please note that internet communications are not > secure and e-mails are susceptible to change. Thank you for your cooperation. > > -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: woensdag 4 september 2019 11:09 > To: users@tomcat.apache.org > Subject: Re: SSO fails on Tomcat 9 > > Heidi, > > I have just completed the tests and SPNEGO works as expected with both Tomcat > 8.5.x and 9.0.x. > > The test environment was as per: > https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftomca > t.apache.org%2Ftomcat-9.0-doc%2Fwindows-auth-howto.html&data=01%7C > 01%7Cheidi.duverger%40unit4.com%7C1d4983f01ef74742b7fe08d732b03c7d%7Ce > e137cc45d4343cf9da5f75728b8d21f%7C1&sdata=K4sjAdNob45pzLu6Y3TqQf6S > nd%2BeKdzhwaEVhwSY37g%3D&reserved=0 > > with the following changes: > - Updated the Domain Controller and Tomcat instance with all the latest > patches from Windows update > - Oracle Java 1.8.0u162 / Adopt OpenJDK Java 11.0.4_11 (tested Tomcat > running under both) > - Tomcat 8.5.x, Tomcat 9.0.x (current HEAD at the time of writing), > 9.0.24 (from the tag) > > The test environment uses separate CATALINA_HOME / CATALINA_BASE so the > Tomcat instance configuration (CATALINA_BASE) is guaranteed to be identical > while I vary the Tomcat binary (CATALINA_HOME) to use. > > > It looks like there is something not quite right with the Tomcat 9 > configuration. > > You could try adding: > > -Dsun.security.spnego.debug=true > > in setenv.bat. That might provide some insight although I've had mixed > experience using that to debug SPNEGO issues in the past. > > <snip/> > >>> Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more >>> strict than the Tomcat 8 implementation was... > I haven't found any evidence to support the above conclusion at this point. > All the evidence so far (diff of the relevant code and my own test > environment) points to a configuration difference in your Tomcat 9 > installation. > > You mentioned starting and stopping services. I wondered if the change of > default user from "Local System" to "Local Service" had triggered this issue > but that makes no difference. > > Looking at your log files in more detail, I do notice a few things: > > -Djava.security.krb5.ini=... > > The above system property is incorrect. It should be: > > -Djava.security.krb5.conf=... > > It won't impact your environment because it appears to be set to the default. > This affects both Tomcat 8 and Tomcat 9. > > The conf\krb5.ini does not specify the keytab file. In the config files in > the Tomcat docs this looks like: > default_keytab_name = FILE:c:\apache-tomcat-9.0.x\conf\tomcat.keytab > > The debug logs for the authentication processes look very different. > That strongly suggests that the configurations are not the same. I would > concentrated on comparing the configuration of the two systems. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
