Scrumpy Jack schrieb: > Hi > I'm trying to resolve an issue with Integrated Authentication when a user > with a large Group Membership tries to access a site served by Tomcat via > IIS ISAPI Redirect. > > For all other users, access is fine. For users with 70+ Windows groups, they > are failing to be redirected and are getting a 500 error. Basic > Authentication works fine. > > Tomcat 6 > IIS 6.0 on Windows 2003 > ISAPI 1.2.26 > 32 bit > > Access to IIS for the same users (i.e. with no ISAPI filter) is fine. We > have explored various Kerberos package size options in initial > troubleshooting, but once we realized that IIS alone worked fine, it now > appears that whatever is being passed to the ISAPI filter via IIS as part of > the Authentication process is exceeding some buffer. The user is prompted > for credentials (but shouldn't be) and will fail to get access regardless of > what is typed. IE classifies site as Internet, when it isn't (And doesn't > get mistrated for other users - i.e. Shows as Local Intranet and no user > prompt appears) > > Can anyone point me in the direction of settings that increase buffer (?) > settings related to Integrated Authentication? Any ideas as to where I > should focus? (i.e. the ISAPI Filter config end, or Tomcat end?)
If you can easily reproduce on a test system, set log_level to trace and reproduce with a single request. Then show us your log_file. It is possible, that the informagtion gets forwarded via http headers. The AJP protocol used between the isapi redirector and Tomcat needs to send all http headers in a single AJP packet. The default maximum size of the packet is 8KB. Recent versions of the redirector and of Tomcat are able to use a higher value. But let's first check, if this is actually the problem you are runnning into. Regards, Rainer --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
