https://bz.apache.org/bugzilla/show_bug.cgi?id=64222
Bug ID: 64222 Summary: Getting User from SSO using SPNEGO returns Tomcat Linux user instead of Windows user above Tomcat9.0.8 Product: Tomcat 9 Version: 9.0.22 Hardware: PC OS: Linux Status: NEW Severity: regression Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: b...@wigeogis.com Target Milestone: ----- I had the same problem already described in http://tomcat.10.x6.nabble.com/SSO-fails-on-Tomcat-9-td5089051.html#a5089145 : When upgrading from Tomcat8.5.20 to Tomcat9.0.22 calling request.getRemoteUser() in a JSP (like the hello_spnego.jsp file as mentioned in http://spnego.sourceforge.net/spnego_tomcat.html) of the ROOT webapp with identically configured SPNEGO (using a SpnegoHttpFilter in the web.xml) did not return the Windows-User of the Browser sending the request transferring the Kerberos-Ticket (bk), but the linux user the Tomcat is running under (tomcat). Additional note: request.getUserPrincipal().getName() returns tomcat@DEV.LOCAL instead of bk@DEV.LOCAL. After downgrading from 9.0.22 to 9.0.8 it worked all fine like with 8.5.20! So I suppose the new line 541 doing return null; causes this behaviour: https://github.com/apache/tomcat/commit/b5ca3e08b8cdd998e22f486293bca6b89e2644e3 But I must admit without debugging I do not understand the code of JAASRealm.createPrinicpal() that seems to be involved in this regression. Using a AuthenticatedUserRealm did not work either (but in fact no Valve or Realm is configured in TOMCAT_BASE/conf/server.xml at all - it is unchanged). So in the meantime more information about my system to reproduce: * Ubuntu 16.04.4 LTS * with the mentioned Apache 8.5.20, 9.0.8 and 9.0.22 * SPNEGO configured with a SpnegoHttpFilter in the TOMCAT_BASE/conf/web.xml like documented in http://spnego.sourceforge.net/spnego_tomcat.html ** copied the latest spnego-r9.jar to the TOMCAT_BASE/lib folder and ** configured with a conf/krb5.ini, a conf/jaas.conf and a conf/tomcat.keytab matching the setspn command at the domain controller as documented in https://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html#Tomcat_instance_(Linux_server) If necessary I can provide the configuration files, but I think it is reproducible without. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org