RE: SSO fails on Tomcat 9
Hello Mark,André, No success on my side for SSO, I have installed 9.0.26 and changed the config according to this mail but no success. Regards, Heidi Leerink - Duverger -Oorspronkelijk bericht- Van: Mark Thomas Verzonden: dinsdag 10 september 2019 18:07 Aan: users@tomcat.apache.org Onderwerp: Re: SSO fails on Tomcat 9 On 10/09/2019 16:47, André Warnier (tomcat) wrote: > On 10.09.2019 15:38, Mark Thomas wrote: >> On 06/09/2019 13:20, Heidi Leerink - Duverger wrote: >>> Hello Mark, >>> >>> That helps somewhat, my browser now shows the login page for our >>> application, BUT I do not get my username in HTTP variable >>> REMOTE_USER but the principal keytab related name. >>> >>> So instead of hduverge I get HTTP/nlsl-decadetst.u4agr.com@U$AGR.COM >> >> The Tomcat Authenticator takes care of validating the user. In the >> configuration you provided the JAASRealm is - effectively - >> (re-)validating the contents of the keytab file. That is why you see >> the keytab principal as the authenticated user. >> >> Try replacing the JAASRealm with the AuthenticatedUserRealm. >> Something >> like: >> >> > allRolesMode="authOnly" > > Mmm. That looks like a typo, likely to confuse this OP even more, no ? Yep. Copy paste error. Should be: Tx. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSO fails on Tomcat 9
On 10/09/2019 16:47, André Warnier (tomcat) wrote: > On 10.09.2019 15:38, Mark Thomas wrote: >> On 06/09/2019 13:20, Heidi Leerink - Duverger wrote: >>> Hello Mark, >>> >>> That helps somewhat, my browser now shows the login page for our >>> application, BUT I do not get my username in HTTP variable >>> REMOTE_USER but the principal keytab related name. >>> >>> So instead of hduverge I get HTTP/nlsl-decadetst.u4agr.com@U$AGR.COM >> >> The Tomcat Authenticator takes care of validating the user. In the >> configuration you provided the JAASRealm is - effectively - >> (re-)validating the contents of the keytab file. That is why you see the >> keytab principal as the authenticated user. >> >> Try replacing the JAASRealm with the AuthenticatedUserRealm. Something >> like: >> >> > allRolesMode="authOnly" > > Mmm. That looks like a typo, likely to confuse this OP even more, no ? Yep. Copy paste error. Should be: Tx. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSO fails on Tomcat 9
On 10.09.2019 15:38, Mark Thomas wrote: On 06/09/2019 13:20, Heidi Leerink - Duverger wrote: Hello Mark, That helps somewhat, my browser now shows the login page for our application, BUT I do not get my username in HTTP variable REMOTE_USER but the principal keytab related name. So instead of hduverge I get HTTP/nlsl-decadetst.u4agr.com@U$AGR.COM The Tomcat Authenticator takes care of validating the user. In the configuration you provided the JAASRealm is - effectively - (re-)validating the contents of the keytab file. That is why you see the keytab principal as the authenticated user. Try replacing the JAASRealm with the AuthenticatedUserRealm. Something like: Mmm. That looks like a typo, likely to confuse this OP even more, no ? Note: This Realm should *only* be used with Authenticators like org.apache.catalina.authenticator.SpnegoAuthenticator that authenticate the user since this Realm simply takes the information provided and assumes it is valid. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSO fails on Tomcat 9
On 06/09/2019 13:20, Heidi Leerink - Duverger wrote: > Hello Mark, > > That helps somewhat, my browser now shows the login page for our application, > BUT I do not get my username in HTTP variable REMOTE_USER but the principal > keytab related name. > > So instead of hduverge I get HTTP/nlsl-decadetst.u4agr.com@U$AGR.COM The Tomcat Authenticator takes care of validating the user. In the configuration you provided the JAASRealm is - effectively - (re-)validating the contents of the keytab file. That is why you see the keytab principal as the authenticated user. Try replacing the JAASRealm with the AuthenticatedUserRealm. Something like:
RE: SSO fails on Tomcat 9
Thank you André for this analysis, I am an Oracle developer and I understand most of the reasoning in you answer, but I need to chew on it for some time and seek help in our organization for Kerberos knowledge. Our application first only had a database authentication and over time more and more customers required SSO. So I configured Tomcat with Spnego based on an Oracle blog, and that worked fine in Tomcat 7 and 8. But now some customers want to upgrade to Tomcat 9 The application only uses the HTTP variable :REMOTE_USER to decide if there is a SSO configuration present and if so links the Windows user to an application user and else de user has to login against the database to authenticate. Met vriendelijke groeten van Heidi Leerink - Duverger Technisch Consultant In business for people. Unit4 Business Software Netherlands B.V. Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T +31 88 247 1444 E heidi.duver...@unit4.com This message and any attachment(s) are intended only for the use of the named recipient and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient, please notify the sender by return e-mail and delete this message from your system. Do not disclose the contents of this document to any other persons. Violation of this notice may be unlawful. Please note that internet communications are not secure and e-mails are susceptible to change. Thank you for your cooperation. -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: vrijdag 6 september 2019 12:15 To: users@tomcat.apache.org Subject: Re: SSO fails on Tomcat 9 Hi Heidi. We have kind of a conundrum here : - Mark (who is one of the main tomcat developers) tested the SPNEGO (Kerberos) authentication under both tomcat8 and tomcat9, using the standard instructions provided in the respective on-line tomcat documentation pages, and reported that it works in both cases. - You report that your installation works with tomcat8, but not with tomcat9, and that you are using the same infrastructure and the same parameters in both cases. (Someone else also reported a case with problems with tomcat9). - The description of your problem (and the tomcat9 logfiles) seems to indicate a problem with the Kerberos "pre-authentication". (These lines of the log : >>>KRBError: ... error code is 25 error Message is Additional pre-authentication required ) And based on my own previous experience with Windows authentication in general (but not Kerberos), it is also my impression that your problem is at the Kerberos level, not really at the tomcat level. I have looked for "Kerberos Additional pre-authentication required" in the www, and despite the fact that I do not really know Kerberos, it seems that the error message above indicates that your browser and the server cannot even agree between them, to actually start exchanging Kerberos tokens (keys) between them, to complete a Kerberos authentication. (And that may be why you see a single 401 response in your logs, and why SPNEGO immediately concludes that the user is not authenticated). (There are also lines in that logfile, which seem to hint at some DNS (name resolution) issue, but that may be a false alarm or a secondary issue). One way to reconcile the above conflicting information, would be if for example some SPNEGO Valve parameter, in your configuration, would be unspecified and defaulting to some value in your case, and a different value in Mark's case. (Or vice-versa, that you are specifying a value, and Mark is using the default, and the result is not the same.) Another possibility would be that the available (or default) encryption methods are different between tomcat8 and tomcat9 (or between different browsers), and that in your case and Mark's, the browser and the server arrive at different encryption choices and cannot agree on a common one. It may be useful for you and Mark to compare in detail, the settings which you use for the SPNEGO Valve (and/or for encryption ?). Another very vague (and maybe wrong) suspicion that I would have is based on some questions : - does the tomcat hostname play a role in the Kerberos authentication ? - if yes, does the SPNEGO Valve obtain this name via some ".getServerName()"-like method, whose result may be different under tomcat8 and tomcat9 in some circumstances ? On 05.09.2019 22:10, Heidi Leerink - Duverger wrote: > Hello Mark, > > I have spent a lot of time comparing both T8 and T9 installations on de > nsl-decadetst.u4agr.com PC. > Sorry but I can't find a major difference in the conf file, apart from > differences Tomcat itself came with in the conf files. > The stdout is mainly the same and the stderr show in Tomcat 8 hduverge > authenticated and in Tomcat 9 not authenticate
RE: SSO fails on Tomcat 9
Hello Mark, That helps somewhat, my browser now shows the login page for our application, BUT I do not get my username in HTTP variable REMOTE_USER but the principal keytab related name. So instead of hduverge I get HTTP/nlsl-decadetst.u4agr.com@U$AGR.COM To be complete this I the keytab creation statement issued by our AD admin: ktpass /out c:\Temp\tomcat.keytab /mapuser decade_sso...@u4agr.com /princ HTTP/nlsl-decadetst.u4agr@u4agr.com /pass "" /kvno 0 -ptype KRB5_NT_PRINCIPAL Met vriendelijke groeten van Heidi Leerink - Duverger Technisch Consultant In business for people. Unit4 Business Software Netherlands B.V. Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T +31 88 247 1444 E heidi.duver...@unit4.com This message and any attachment(s) are intended only for the use of the named recipient and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient, please notify the sender by return e-mail and delete this message from your system. Do not disclose the contents of this document to any other persons. Violation of this notice may be unlawful. Please note that internet communications are not secure and e-mails are susceptible to change. Thank you for your cooperation. -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: vrijdag 6 september 2019 11:55 To: users@tomcat.apache.org Subject: Re: SSO fails on Tomcat 9 On 05/09/2019 21:10, Heidi Leerink - Duverger wrote: > Hello Mark, > > I have spent a lot of time comparing both T8 and T9 installations on de > nsl-decadetst.u4agr.com PC. > Sorry but I can't find a major difference in the conf file, apart from > differences Tomcat itself came with in the conf files. > The stdout is mainly the same and the stderr show in Tomcat 8 hduverge > authenticated and in Tomcat 9 not authenticated. > I'm lost now I have no ideas left where to look for differences or how to > find a solution for this major issue. > Attached once again the files from our Tomcat 8 and Tomcat 9 installation. I took another look and I think the issue is with the JAASRealm configuration rather than with SPNEGO. I think you have been caught out by this change: https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Ftomcat%2Fcommit%2Fb5ca3e08b8cdd998e22f486293bca6b89e2644e3&data=01%7C01%7Cheidi.duverger%40unit4.com%7C1d4983f01ef74742b7fe08d732b03c7d%7Cee137cc45d4343cf9da5f75728b8d21f%7C1&sdata=oHIwRhtka1MiYOIAYg5okvI3BRC0IFNCWaE2oNR%2FZd4%3D&reserved=0 Try adding: userClassNames="javax.security.auth.kerberos.KerberosPrincipal" to your JAASRealm configuration in apex42a.xml Mark > > Met vriendelijke groeten van > Heidi Leerink - Duverger > Technisch Consultant > > Met vriendelijke groeten van > Heidi Leerink - Duverger > Technisch Consultant > > > In business for people. > Unit4 Business Software Netherlands B.V. > Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T +31 88 247 1444 E > heidi.duver...@unit4.com This message and any attachment(s) are > intended only for the use of the named recipient and may contain information > that is privileged, confidential or otherwise exempt from disclosure under > applicable law. If you are not the intended recipient, please notify the > sender by return e-mail and delete this message from your system. Do not > disclose the contents of this document to any other persons. Violation of > this notice may be unlawful. Please note that internet communications are not > secure and e-mails are susceptible to change. Thank you for your cooperation. > > -Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: woensdag 4 september 2019 11:09 > To: users@tomcat.apache.org > Subject: Re: SSO fails on Tomcat 9 > > Heidi, > > I have just completed the tests and SPNEGO works as expected with both Tomcat > 8.5.x and 9.0.x. > > The test environment was as per: > https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftomca > t.apache.org%2Ftomcat-9.0-doc%2Fwindows-auth-howto.html&data=01%7C > 01%7Cheidi.duverger%40unit4.com%7C1d4983f01ef74742b7fe08d732b03c7d%7Ce > e137cc45d4343cf9da5f75728b8d21f%7C1&sdata=K4sjAdNob45pzLu6Y3TqQf6S > nd%2BeKdzhwaEVhwSY37g%3D&reserved=0 > > with the following changes: > - Updated the Domain Controller and Tomcat instance with all the latest > patches from Windows update > - Oracle Java 1.8.0u162 / Adopt OpenJDK Java 11.0.4_11 (tested Tomcat > running under both) > - Tomcat 8.5.x, Tomcat 9.0.x (current HEAD at the time of writing), > 9.0.24 (from the tag) > > The test environment uses separate CATALINA_HOME / CATALINA_BASE so the > Tomcat instance
Re: SSO fails on Tomcat 9
Hi Heidi. We have kind of a conundrum here : - Mark (who is one of the main tomcat developers) tested the SPNEGO (Kerberos) authentication under both tomcat8 and tomcat9, using the standard instructions provided in the respective on-line tomcat documentation pages, and reported that it works in both cases. - You report that your installation works with tomcat8, but not with tomcat9, and that you are using the same infrastructure and the same parameters in both cases. (Someone else also reported a case with problems with tomcat9). - The description of your problem (and the tomcat9 logfiles) seems to indicate a problem with the Kerberos "pre-authentication". (These lines of the log : >>>KRBError: ... error code is 25 error Message is Additional pre-authentication required ) And based on my own previous experience with Windows authentication in general (but not Kerberos), it is also my impression that your problem is at the Kerberos level, not really at the tomcat level. I have looked for "Kerberos Additional pre-authentication required" in the www, and despite the fact that I do not really know Kerberos, it seems that the error message above indicates that your browser and the server cannot even agree between them, to actually start exchanging Kerberos tokens (keys) between them, to complete a Kerberos authentication. (And that may be why you see a single 401 response in your logs, and why SPNEGO immediately concludes that the user is not authenticated). (There are also lines in that logfile, which seem to hint at some DNS (name resolution) issue, but that may be a false alarm or a secondary issue). One way to reconcile the above conflicting information, would be if for example some SPNEGO Valve parameter, in your configuration, would be unspecified and defaulting to some value in your case, and a different value in Mark's case. (Or vice-versa, that you are specifying a value, and Mark is using the default, and the result is not the same.) Another possibility would be that the available (or default) encryption methods are different between tomcat8 and tomcat9 (or between different browsers), and that in your case and Mark's, the browser and the server arrive at different encryption choices and cannot agree on a common one. It may be useful for you and Mark to compare in detail, the settings which you use for the SPNEGO Valve (and/or for encryption ?). Another very vague (and maybe wrong) suspicion that I would have is based on some questions : - does the tomcat hostname play a role in the Kerberos authentication ? - if yes, does the SPNEGO Valve obtain this name via some ".getServerName()"-like method, whose result may be different under tomcat8 and tomcat9 in some circumstances ? On 05.09.2019 22:10, Heidi Leerink - Duverger wrote: Hello Mark, I have spent a lot of time comparing both T8 and T9 installations on de nsl-decadetst.u4agr.com PC. Sorry but I can't find a major difference in the conf file, apart from differences Tomcat itself came with in the conf files. The stdout is mainly the same and the stderr show in Tomcat 8 hduverge authenticated and in Tomcat 9 not authenticated. I'm lost now I have no ideas left where to look for differences or how to find a solution for this major issue. Attached once again the files from our Tomcat 8 and Tomcay 9 installation. Met vriendelijke groeten van Heidi Leerink - Duverger Technisch Consultant Met vriendelijke groeten van Heidi Leerink - Duverger Technisch Consultant In business for people. Unit4 Business Software Netherlands B.V. Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T +31 88 247 1444 E heidi.duver...@unit4.com This message and any attachment(s) are intended only for the use of the named recipient and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient, please notify the sender by return e-mail and delete this message from your system. Do not disclose the contents of this document to any other persons. Violation of this notice may be unlawful. Please note that internet communications are not secure and e-mails are susceptible to change. Thank you for your cooperation. -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: woensdag 4 september 2019 11:09 To: users@tomcat.apache.org Subject: Re: SSO fails on Tomcat 9 Heidi, I have just completed the tests and SPNEGO works as expected with both Tomcat 8.5.x and 9.0.x. The test environment was as per: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftomcat.apache.org%2Ftomcat-9.0-doc%2Fwindows-auth-howto.html&data=01%7C01%7Cheidi.duverger%40unit4.com%7Cc8223b9bd1f34f08008608d731178dde%7Cee137cc45d4343cf9da5f75728b8d21f%7C1&sdata=I%2BJLU837vV78VExqcHdf5Z5MYat2HDEPbNKvpsmq6%2FE%3D&reserved=0 with the following ch
Re: SSO fails on Tomcat 9
On 05/09/2019 21:10, Heidi Leerink - Duverger wrote: > Hello Mark, > > I have spent a lot of time comparing both T8 and T9 installations on de > nsl-decadetst.u4agr.com PC. > Sorry but I can't find a major difference in the conf file, apart from > differences Tomcat itself came with in the conf files. > The stdout is mainly the same and the stderr show in Tomcat 8 hduverge > authenticated and in Tomcat 9 not authenticated. > I'm lost now I have no ideas left where to look for differences or how to > find a solution for this major issue. > Attached once again the files from our Tomcat 8 and Tomcat 9 installation. I took another look and I think the issue is with the JAASRealm configuration rather than with SPNEGO. I think you have been caught out by this change: https://github.com/apache/tomcat/commit/b5ca3e08b8cdd998e22f486293bca6b89e2644e3 Try adding: userClassNames="javax.security.auth.kerberos.KerberosPrincipal" to your JAASRealm configuration in apex42a.xml Mark > > Met vriendelijke groeten van > Heidi Leerink - Duverger > Technisch Consultant > > Met vriendelijke groeten van > Heidi Leerink - Duverger > Technisch Consultant > > > In business for people. > Unit4 Business Software Netherlands B.V. > Papendorpseweg 100, 3710 BJ Utrecht, Netherlands > T +31 88 247 1444 > E heidi.duver...@unit4.com > This message and any attachment(s) are intended only for the use of the named > recipient and may contain information that is privileged, confidential or > otherwise exempt from disclosure under applicable law. If you are not the > intended recipient, please notify the sender by return e-mail and delete this > message from your system. Do not disclose the contents of this document to > any other persons. Violation of this notice may be unlawful. Please note that > internet communications are not secure and e-mails are susceptible to change. > Thank you for your cooperation. > > -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: woensdag 4 september 2019 11:09 > To: users@tomcat.apache.org > Subject: Re: SSO fails on Tomcat 9 > > Heidi, > > I have just completed the tests and SPNEGO works as expected with both Tomcat > 8.5.x and 9.0.x. > > The test environment was as per: > https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftomcat.apache.org%2Ftomcat-9.0-doc%2Fwindows-auth-howto.html&data=01%7C01%7Cheidi.duverger%40unit4.com%7Cc8223b9bd1f34f08008608d731178dde%7Cee137cc45d4343cf9da5f75728b8d21f%7C1&sdata=I%2BJLU837vV78VExqcHdf5Z5MYat2HDEPbNKvpsmq6%2FE%3D&reserved=0 > > with the following changes: > - Updated the Domain Controller and Tomcat instance with all the latest > patches from Windows update > - Oracle Java 1.8.0u162 / Adopt OpenJDK Java 11.0.4_11 (tested Tomcat > running under both) > - Tomcat 8.5.x, Tomcat 9.0.x (current HEAD at the time of writing), > 9.0.24 (from the tag) > > The test environment uses separate CATALINA_HOME / CATALINA_BASE so the > Tomcat instance configuration (CATALINA_BASE) is guaranteed to be identical > while I vary the Tomcat binary (CATALINA_HOME) to use. > > > It looks like there is something not quite right with the Tomcat 9 > configuration. > > You could try adding: > > -Dsun.security.spnego.debug=true > > in setenv.bat. That might provide some insight although I've had mixed > experience using that to debug SPNEGO issues in the past. > > > >>> Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more >>> strict than the Tomcat 8 implementation was... > I haven't found any evidence to support the above conclusion at this point. > All the evidence so far (diff of the relevant code and my own test > environment) points to a configuration difference in your Tomcat 9 > installation. > > You mentioned starting and stopping services. I wondered if the change of > default user from "Local System" to "Local Service" had triggered this issue > but that makes no difference. > > Looking at your log files in more detail, I do notice a few things: > > -Djava.security.krb5.ini=... > > The above system property is incorrect. It should be: > > -Djava.security.krb5.conf=... > > It won't impact your environment because it appears to be set to the default. > This affects both Tomcat 8 and Tomcat 9. > > The conf\krb5.ini does not specify the keytab file. In the config files in > the Tomcat docs this looks like: > default_keytab_name = FILE:c:\apache-tomcat-9.0.x\conf\tomcat.keytab > > The debug logs for the authentication p
Re: SSO fails on Tomcat 9
Heidi, I have just completed the tests and SPNEGO works as expected with both Tomcat 8.5.x and 9.0.x. The test environment was as per: http://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html with the following changes: - Updated the Domain Controller and Tomcat instance with all the latest patches from Windows update - Oracle Java 1.8.0u162 / Adopt OpenJDK Java 11.0.4_11 (tested Tomcat running under both) - Tomcat 8.5.x, Tomcat 9.0.x (current HEAD at the time of writing), 9.0.24 (from the tag) The test environment uses separate CATALINA_HOME / CATALINA_BASE so the Tomcat instance configuration (CATALINA_BASE) is guaranteed to be identical while I vary the Tomcat binary (CATALINA_HOME) to use. It looks like there is something not quite right with the Tomcat 9 configuration. You could try adding: -Dsun.security.spnego.debug=true in setenv.bat. That might provide some insight although I've had mixed experience using that to debug SPNEGO issues in the past. >> Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more >> strict than the Tomcat 8 implementation was... I haven't found any evidence to support the above conclusion at this point. All the evidence so far (diff of the relevant code and my own test environment) points to a configuration difference in your Tomcat 9 installation. You mentioned starting and stopping services. I wondered if the change of default user from "Local System" to "Local Service" had triggered this issue but that makes no difference. Looking at your log files in more detail, I do notice a few things: -Djava.security.krb5.ini=... The above system property is incorrect. It should be: -Djava.security.krb5.conf=... It won't impact your environment because it appears to be set to the default. This affects both Tomcat 8 and Tomcat 9. The conf\krb5.ini does not specify the keytab file. In the config files in the Tomcat docs this looks like: default_keytab_name = FILE:c:\apache-tomcat-9.0.x\conf\tomcat.keytab The debug logs for the authentication processes look very different. That strongly suggests that the configurations are not the same. I would concentrated on comparing the configuration of the two systems. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSO fails on Tomcat 9
Thanks Mark! Take your time, I have in a meeting tomorrow most part of the day... Heidi Met vriendelijke groeten van Heidi Leerink - Duverger Technisch Consultant In business for people. Unit4 Business Software Netherlands B.V. Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T +31 88 247 1444 E heidi.duver...@unit4.com This message and any attachment(s) are intended only for the use of the named recipient and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient, please notify the sender by return e-mail and delete this message from your system. Do not disclose the contents of this document to any other persons. Violation of this notice may be unlawful. Please note that internet communications are not secure and e-mails are susceptible to change. Thank you for your cooperation. -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: dinsdag 3 september 2019 20:31 To: users@tomcat.apache.org Subject: Re: SSO fails on Tomcat 9 Heidi, I have the set of test VMs I used when first implementing this feature. They are the ones I used when I wrote: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftomcat.apache.org%2Ftomcat-9.0-doc%2Fwindows-auth-howto.html&data=01%7C01%7Cheidi.duverger%40unit4.com%7C4fd1fb493ccf40d2b02008d7309ce714%7Cee137cc45d4343cf9da5f75728b8d21f%7C1&sdata=Mro6GR3fy4X2cEpm0mbZBwszTt1jfHl7knJifFnKrao%3D&reserved=0 I'll fire them up, install 9.0.24, test and report back. I have done a quick diff of the key classes between 9.0.x and 8.5.x and I don't see any changes that should cause problems. Experience tells me I am going to spend more time getting the VMs updated with the latest patches (I don't turn them on that often) than I am going to spend testing. Don't be surprised if it takes until tomorrow for me to report back. Mark On 03/09/2019 17:38, Heidi Leerink - Duverger wrote: > Hello Alex, > > This is the result of the nslookup: > > C:\Users\hduverge>nslookup nlsl-decadetest > Server: nlsl-dccrp01p.corp.u4agr.com > Address: 10.100.2.2 > > *** nlsl-dccrp01p.corp.u4agr.com can't find nlsl-decadetest: > Non-existent domain > > C:\Users\hduverge> > C:\Users\hduverge>nslookup nlsl-decadetest.u4agr.com > Server: nlsl-dccrp01p.corp.u4agr.com > Address: 10.100.2.2 > > *** nlsl-dccrp01p.corp.u4agr.com can't find nlsl-decadetest.u4agr.com: > Non-existent domain > >> Q3: Is the PC where you are using the browser to test, also the same one >> where Tomcat is installed ? >> (I am not sure that this type of authentication should work, if the same >> machine is at the same time the client and the server) In any case, it may >> >be a good idea if you tested the same access, with a browser on another PC >> workstation. > I test the SSO URL on my own desktop in Google chrome and IE11, but if I test > de URL in IE11 on de nls-decadetest it asks for a window login and then gives > the same error as I get on my desktop. > > I think that it would be better to move this test to a real server , but ATM > we have everything in the cloud (azure) and it is so nearly impossible to get > a setup (AD user principal and tomcat.keytab) from support, but I will check > if I can further test at our customers site > > Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more > strict than the Tomcat 8 implementation was... > > Met vriendelijke groeten van > Heidi Leerink - Duverger > Technisch Consultant > > > In business for people. > Unit4 Business Software Netherlands B.V. > Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T +31 88 247 1444 E > heidi.duver...@unit4.com This message and any attachment(s) are > intended only for the use of the named recipient and may contain information > that is privileged, confidential or otherwise exempt from disclosure under > applicable law. If you are not the intended recipient, please notify the > sender by return e-mail and delete this message from your system. Do not > disclose the contents of this document to any other persons. Violation of > this notice may be unlawful. Please note that internet communications are not > secure and e-mails are susceptible to change. Thank you for your cooperation. > > -Original Message- > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] > Sent: dinsdag 3 september 2019 14:27 > To: users@tomcat.apache.org > Subject: Re: SSO fails on Tomcat 9 > > Hi. > See below. > > On 03.09.2019 11:56, Heidi Leerink - Duverger wrote: >> Hello Alex, >> >> Thank you for the extensive answer. >> >> Q1: Are you sure that it is *exactly* the same
Re: SSO fails on Tomcat 9
Heidi, I have the set of test VMs I used when first implementing this feature. They are the ones I used when I wrote: http://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html I'll fire them up, install 9.0.24, test and report back. I have done a quick diff of the key classes between 9.0.x and 8.5.x and I don't see any changes that should cause problems. Experience tells me I am going to spend more time getting the VMs updated with the latest patches (I don't turn them on that often) than I am going to spend testing. Don't be surprised if it takes until tomorrow for me to report back. Mark On 03/09/2019 17:38, Heidi Leerink - Duverger wrote: > Hello Alex, > > This is the result of the nslookup: > > C:\Users\hduverge>nslookup nlsl-decadetest > Server: nlsl-dccrp01p.corp.u4agr.com > Address: 10.100.2.2 > > *** nlsl-dccrp01p.corp.u4agr.com can't find nlsl-decadetest: Non-existent > domain > > C:\Users\hduverge> > C:\Users\hduverge>nslookup nlsl-decadetest.u4agr.com > Server: nlsl-dccrp01p.corp.u4agr.com > Address: 10.100.2.2 > > *** nlsl-dccrp01p.corp.u4agr.com can't find nlsl-decadetest.u4agr.com: > Non-existent domain > >> Q3: Is the PC where you are using the browser to test, also the same one >> where Tomcat is installed ? >> (I am not sure that this type of authentication should work, if the same >> machine is at the same time the client and the server) In any case, it may >> >be a good idea if you tested the same access, with a browser on another PC >> workstation. > I test the SSO URL on my own desktop in Google chrome and IE11, but if I test > de URL in IE11 on de nls-decadetest it asks for a window login and then gives > the same error as I get on my desktop. > > I think that it would be better to move this test to a real server , but ATM > we have everything in the cloud (azure) and it is so nearly impossible to get > a setup (AD user principal and tomcat.keytab) from support, but I will check > if I can further test at our customers site > > Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more > strict than the Tomcat 8 implementation was... > > Met vriendelijke groeten van > Heidi Leerink - Duverger > Technisch Consultant > > > In business for people. > Unit4 Business Software Netherlands B.V. > Papendorpseweg 100, 3710 BJ Utrecht, Netherlands > T +31 88 247 1444 > E heidi.duver...@unit4.com > This message and any attachment(s) are intended only for the use of the named > recipient and may contain information that is privileged, confidential or > otherwise exempt from disclosure under applicable law. If you are not the > intended recipient, please notify the sender by return e-mail and delete this > message from your system. Do not disclose the contents of this document to > any other persons. Violation of this notice may be unlawful. Please note that > internet communications are not secure and e-mails are susceptible to change. > Thank you for your cooperation. > > -Original Message- > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] > Sent: dinsdag 3 september 2019 14:27 > To: users@tomcat.apache.org > Subject: Re: SSO fails on Tomcat 9 > > Hi. > See below. > > On 03.09.2019 11:56, Heidi Leerink - Duverger wrote: >> Hello Alex, >> >> Thank you for the extensive answer. >> >> Q1: Are you sure that it is *exactly* the same ? >> Yes the installation is done on the same PC with the same user principal for >> the Tomcat service to log in . >> The Tomcat 8 service is stopped during the Tomcat 9 test. >> We had the exact same problem when installing in a test environment at one >> of our Customer sites. Most of our customers that are using SSO with our >> application are still using Tomcat 8 with no problems and all with the same >> spnego config. >> My colleague initially set up this Tomcat 9 installation using a few tomcat >> 9 versions ( .8 .20 and .24). I myself, reinstalled and configured Tomcat >> 9.024 from scratch, with no success and always the same results. >> > > Q3: Is the PC where you are using the browser to test, also the same one > where Tomcat is installed ? > (I am not sure that this type of authentication should work, if the same > machine is at the same time the client and the server) In any case, it may be > a good idea if you tested the same access, with a browser on another PC > workstation. > >> Q2: when "it does not work", does the browser popup a login dialog ? >> Yes I have seen that one be not with the recent config. >> Browser response : >> >> Google Chrome &
RE: SSO fails on Tomcat 9
Hello Alex, This is the result of the nslookup: C:\Users\hduverge>nslookup nlsl-decadetest Server: nlsl-dccrp01p.corp.u4agr.com Address: 10.100.2.2 *** nlsl-dccrp01p.corp.u4agr.com can't find nlsl-decadetest: Non-existent domain C:\Users\hduverge> C:\Users\hduverge>nslookup nlsl-decadetest.u4agr.com Server: nlsl-dccrp01p.corp.u4agr.com Address: 10.100.2.2 *** nlsl-dccrp01p.corp.u4agr.com can't find nlsl-decadetest.u4agr.com: Non-existent domain >Q3: Is the PC where you are using the browser to test, also the same one where >Tomcat is installed ? >(I am not sure that this type of authentication should work, if the same >machine is at the same time the client and the server) In any case, it may >be >a good idea if you tested the same access, with a browser on another PC >workstation. I test the SSO URL on my own desktop in Google chrome and IE11, but if I test de URL in IE11 on de nls-decadetest it asks for a window login and then gives the same error as I get on my desktop. I think that it would be better to move this test to a real server , but ATM we have everything in the cloud (azure) and it is so nearly impossible to get a setup (AD user principal and tomcat.keytab) from support, but I will check if I can further test at our customers site Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more strict than the Tomcat 8 implementation was... Met vriendelijke groeten van Heidi Leerink - Duverger Technisch Consultant In business for people. Unit4 Business Software Netherlands B.V. Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T +31 88 247 1444 E heidi.duver...@unit4.com This message and any attachment(s) are intended only for the use of the named recipient and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient, please notify the sender by return e-mail and delete this message from your system. Do not disclose the contents of this document to any other persons. Violation of this notice may be unlawful. Please note that internet communications are not secure and e-mails are susceptible to change. Thank you for your cooperation. -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: dinsdag 3 september 2019 14:27 To: users@tomcat.apache.org Subject: Re: SSO fails on Tomcat 9 Hi. See below. On 03.09.2019 11:56, Heidi Leerink - Duverger wrote: > Hello Alex, > > Thank you for the extensive answer. > > Q1: Are you sure that it is *exactly* the same ? > Yes the installation is done on the same PC with the same user principal for > the Tomcat service to log in . > The Tomcat 8 service is stopped during the Tomcat 9 test. > We had the exact same problem when installing in a test environment at one of > our Customer sites. Most of our customers that are using SSO with our > application are still using Tomcat 8 with no problems and all with the same > spnego config. > My colleague initially set up this Tomcat 9 installation using a few tomcat 9 > versions ( .8 .20 and .24). I myself, reinstalled and configured Tomcat 9.024 > from scratch, with no success and always the same results. > Q3: Is the PC where you are using the browser to test, also the same one where Tomcat is installed ? (I am not sure that this type of authentication should work, if the same machine is at the same time the client and the server) In any case, it may be a good idea if you tested the same access, with a browser on another PC workstation. > Q2: when "it does not work", does the browser popup a login dialog ? > Yes I have seen that one be not with the recent config. > Browser response : > > Google Chrome > This site can't be reachedThe webpage at http://nlsl-decadetst:8787/apex42a/ > might be temporarily down or it may have moved permanently to a new web > address. > ERR_INVALID_RESPONSE > > Internet Explorer 11: > Can't reach this page > .Make sure the web address http://nlsl-decadetst:8787 is correct > .Search for this site on Bing .Refresh the page More information More > information The connection to the website was reset. > Error Code: INET_E_DOWNLOAD_FAILURE > Both of the errors above indicate more a DNS or TCP issue, than a tomcat or authentication issue. (As shown, they indicate that the browser can either not find the server "nlsl-decadetst", or cannot make a TCP connection to "nlsl-decadetst:8787") On the same workstation PC where you are doing these tests, can you a) open a command window b) enter : nslookup nlsl-decadetst c) tell us what the response is ? d) enter : nslookup nlsl-decadetst.u4agr.com e) tell us what the response is ? > (attachements the most recent stderr and stdout) > Unfortunately, I am no Kerberos specialist a
Re: SSO fails on Tomcat 9
Hi. See below. On 03.09.2019 11:56, Heidi Leerink - Duverger wrote: Hello Alex, Thank you for the extensive answer. Q1: Are you sure that it is *exactly* the same ? Yes the installation is done on the same PC with the same user principal for the Tomcat service to log in . The Tomcat 8 service is stopped during the Tomcat 9 test. We had the exact same problem when installing in a test environment at one of our Customer sites. Most of our customers that are using SSO with our application are still using Tomcat 8 with no problems and all with the same spnego config. My colleague initially set up this Tomcat 9 installation using a few tomcat 9 versions ( .8 .20 and .24). I myself, reinstalled and configured Tomcat 9.024 from scratch, with no success and always the same results. Q3: Is the PC where you are using the browser to test, also the same one where Tomcat is installed ? (I am not sure that this type of authentication should work, if the same machine is at the same time the client and the server) In any case, it may be a good idea if you tested the same access, with a browser on another PC workstation. Q2: when "it does not work", does the browser popup a login dialog ? Yes I have seen that one be not with the recent config. Browser response : Google Chrome This site can't be reachedThe webpage at http://nlsl-decadetst:8787/apex42a/ might be temporarily down or it may have moved permanently to a new web address. ERR_INVALID_RESPONSE Internet Explorer 11: Can't reach this page .Make sure the web address http://nlsl-decadetst:8787 is correct .Search for this site on Bing .Refresh the page More information More information The connection to the website was reset. Error Code: INET_E_DOWNLOAD_FAILURE Both of the errors above indicate more a DNS or TCP issue, than a tomcat or authentication issue. (As shown, they indicate that the browser can either not find the server "nlsl-decadetst", or cannot make a TCP connection to "nlsl-decadetst:8787") On the same workstation PC where you are doing these tests, can you a) open a command window b) enter : nslookup nlsl-decadetst c) tell us what the response is ? d) enter : nslookup nlsl-decadetst.u4agr.com e) tell us what the response is ? (attachements the most recent stderr and stdout) Unfortunately, I am no Kerberos specialist and cannot tell you what the messages in the log really mean. But the following (from the stderr) should probably be investigated further : >>>KRBError: sTime is Tue Sep 03 11:47:29 CEST 2019 1567504049000 suSec is 329207 error code is 25 error Message is Additional pre-authentication required sname is krbtgt/u4agr@u4agr.com eData provided. msgType is 30 That seems to indicate that something is not working as expected, at the Kerberos level. Note : why it would work with tomcat8 and not with tomcat9 is still not clear to me, unless there have been some changes between the tomcat8 SPNEGO Valve and the tomcat9 SPNGEGO Valve, or else maybe in terms of the tomcat hostname considerations. I know off Fiddler2 but never used it before, I will try to set that up... Met vriendelijke groeten van Heidi Leerink - Duverger Technisch Consultant In business for people. Unit4 Business Software Netherlands B.V. Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T +31 88 247 1444 E heidi.duver...@unit4.com This message and any attachment(s) are intended only for the use of the named recipient and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient, please notify the sender by return e-mail and delete this message from your system. Do not disclose the contents of this document to any other persons. Violation of this notice may be unlawful. Please note that internet communications are not secure and e-mails are susceptible to change. Thank you for your cooperation. -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: dinsdag 3 september 2019 10:39 To: users@tomcat.apache.org Subject: Re: SSO fails on Tomcat 9 Hello Heidi. Thank you for the complete information provided in your post below. I do not have any experience with the Tomcat SPNEGO Valve per se, but quite a bit of experience with Windows Integrated Authentication. To me, the symptoms that you describe below, do not really look like a problem at the Tomcat level, but more like a problem between the browser and the Windows authentication in general. See notes and questions in the text below. On 02.09.2019 12:35, Heidi Leerink - Duverger wrote: We have the following problem with connecting from the tomcat environment 9.024 with the Active Directory of Windows, Kerberos database. (win2008 DC's) In Tomcat's log files, with Tomcat8, which gives no problems, it is connected to the Act
RE: SSO fails on Tomcat 9
Hello Alex, Thank you for the extensive answer. Q1: Are you sure that it is *exactly* the same ? Yes the installation is done on the same PC with the same user principal for the Tomcat service to log in . The Tomcat 8 service is stopped during the Tomcat 9 test. We had the exact same problem when installing in a test environment at one of our Customer sites. Most of our customers that are using SSO with our application are still using Tomcat 8 with no problems and all with the same spnego config. My colleague initially set up this Tomcat 9 installation using a few tomcat 9 versions ( .8 .20 and .24). I myself, reinstalled and configured Tomcat 9.024 from scratch, with no success and always the same results. Q2: when "it does not work", does the browser popup a login dialog ? Yes I have seen that one be not with the recent config. Browser response : Google Chrome This site can't be reachedThe webpage at http://nlsl-decadetst:8787/apex42a/ might be temporarily down or it may have moved permanently to a new web address. ERR_INVALID_RESPONSE Internet Explorer 11: Can't reach this page .Make sure the web address http://nlsl-decadetst:8787 is correct .Search for this site on Bing .Refresh the page More information More information The connection to the website was reset. Error Code: INET_E_DOWNLOAD_FAILURE (attachements the most recent stderr and stdout) I know off Fiddler2 but never used it before, I will try to set that up... Met vriendelijke groeten van Heidi Leerink - Duverger Technisch Consultant In business for people. Unit4 Business Software Netherlands B.V. Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T +31 88 247 1444 E heidi.duver...@unit4.com This message and any attachment(s) are intended only for the use of the named recipient and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient, please notify the sender by return e-mail and delete this message from your system. Do not disclose the contents of this document to any other persons. Violation of this notice may be unlawful. Please note that internet communications are not secure and e-mails are susceptible to change. Thank you for your cooperation. -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: dinsdag 3 september 2019 10:39 To: users@tomcat.apache.org Subject: Re: SSO fails on Tomcat 9 Hello Heidi. Thank you for the complete information provided in your post below. I do not have any experience with the Tomcat SPNEGO Valve per se, but quite a bit of experience with Windows Integrated Authentication. To me, the symptoms that you describe below, do not really look like a problem at the Tomcat level, but more like a problem between the browser and the Windows authentication in general. See notes and questions in the text below. On 02.09.2019 12:35, Heidi Leerink - Duverger wrote: > We have the following problem with connecting from the tomcat > environment 9.024 with the Active Directory of Windows, Kerberos > database. (win2008 DC's) > > In Tomcat's log files, with Tomcat8, which gives no problems, it is > connected to the Active directory. > > It indicates that a login attempt is made 3 times whether the person > can log in with the Active directory account. > > After that the login is accepted and qualified as successful. > > In tomcat 9, different versions tried, also version 9.024, the control > of 1 attempt becomes visible, > > which is successful. But then the check is stopped (not 3 times as > Tomcat8) and the connection is marked as unsuccessful. > > The environment for Tomcat9 is the same as from Tomcat8. Q1: Are you sure that it is *exactly* the same ? For example, do the tomcat8 installation, and the tomcat9 installation, run on the same server, and is the server *domain* the same in both cases ? Q2: when "it does not work", does the browser popup a login dialog ? Reason for the questions : Typically, a succesful Windows authentication consists of indeed 3 exchanges (what you say happens with tomcat8). The first of these exchanges consists of the browser requesting the original URL. The server then responds with a 401 response ("need authentication"), in which it indicates that it wants an authentication, of the SPNEGO type. The browser then normally responds with a 2d request for the same URL, containing a partial "Authorization:" header containing some encrypted token. If the browser does NOT send this 2d request, it indicates that *the browser refuses* to do an SPNEGO authentication in this case. And that happens when the browser does not think that the server "can be trusted" for doing SPNEGO authentication. The browser will not trust the server, if it thinks that the server is not in the same domain as itse
Re: SSO fails on Tomcat 9
Hello Heidi. Thank you for the complete information provided in your post below. I do not have any experience with the Tomcat SPNEGO Valve per se, but quite a bit of experience with Windows Integrated Authentication. To me, the symptoms that you describe below, do not really look like a problem at the Tomcat level, but more like a problem between the browser and the Windows authentication in general. See notes and questions in the text below. On 02.09.2019 12:35, Heidi Leerink - Duverger wrote: We have the following problem with connecting from the tomcat environment 9.024 with the Active Directory of Windows, Kerberos database. (win2008 DC's) In Tomcat's log files, with Tomcat8, which gives no problems, it is connected to the Active directory. It indicates that a login attempt is made 3 times whether the person can log in with the Active directory account. After that the login is accepted and qualified as successful. In tomcat 9, different versions tried, also version 9.024, the control of 1 attempt becomes visible, which is successful. But then the check is stopped (not 3 times as Tomcat8) and the connection is marked as unsuccessful. The environment for Tomcat9 is the same as from Tomcat8. Q1: Are you sure that it is *exactly* the same ? For example, do the tomcat8 installation, and the tomcat9 installation, run on the same server, and is the server *domain* the same in both cases ? Q2: when "it does not work", does the browser popup a login dialog ? Reason for the questions : Typically, a succesful Windows authentication consists of indeed 3 exchanges (what you say happens with tomcat8). The first of these exchanges consists of the browser requesting the original URL. The server then responds with a 401 response ("need authentication"), in which it indicates that it wants an authentication, of the SPNEGO type. The browser then normally responds with a 2d request for the same URL, containing a partial "Authorization:" header containing some encrypted token. If the browser does NOT send this 2d request, it indicates that *the browser refuses* to do an SPNEGO authentication in this case. And that happens when the browser does not think that the server "can be trusted" for doing SPNEGO authentication. The browser will not trust the server, if it thinks that the server is not in the same domain as itself (unless you have manually added this server in the "trusted servers", at the browser level). Q2: Usually, when the browser refuses to do a WIA authentication, it tries a Basic authentication instead, and this login dialog pops up. With Windows authentication, that is usually the first sign that something is not correct in the browser/server setup. Note: I'm not saying that this IS your problem. But it is the first thing to verify, with WIA authentication. To see this more clearly, you could try to install on the workstation, some software that allows you to trace the HTTP exchanges between the browser and the server (example : Fiddler2), and compare what happens with tomcat8 and tomcat9 (look at the HTTP headers for request/response). Windows 10 PRO Oracle database rdbms 11.203 Apex 4.2.3.008 Ords2019 - Oracle listener ojdbc6.jar Tried both java versions: E:\java\jre64b\bin>java -version java version "1.8.0_202" Java(TM) SE Runtime Environment (build 1.8.0_202-b08) Java HotSpot(TM) 64-Bit Server VM (build 25.202-b08, mixed mode) And E:\java\openjdk\bin>java -version openjdk version "11.0.1" 2018-10-16 OpenJDK Runtime Environment 18.9 (build 11.0.1+13) OpenJDK 64-Bit Server VM 18.9 (build 11.0.1+13, mixed mode) Tomcat 9.024 directory structure. ( log files in the attachments ) e:\Tomcat9\ \Cataline\localhost\apex42a.xml +++...+++ +++...+++ \conf\jaas.conf +++...+++ APEX42A { com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true principal="HTTP/nlsl-decadetst.u4agr@u4agr.com" useKeyTab=true keyTab="E:/Decade_appl/Tomcat9/conf/tomcat.keytab" storeKey=true; }; +++...+++ \conf\krb5.ini +++...+++ [libdefaults] default_realm= U4AGR.COM default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 dns_lookup_kdc = true dns_lookup_relam = false [realms] U4AGR.COM = { kdc = u4agr.com default_domain = U4AGR.COM } [domain_realm] .u4agr.com= U4AGR.COM u4agr.com= U4AGR.COM +++...+++ \conf\tomcat.keytab Creation statement for tomcat.keytab: ktpass /out c:\Temp\tomcat.keytab /mapuser DECADE_SSO_TC.U4AGR.COM /princ HTTP/nlsl-decadetst.u4agr@u4agr.com /pass "D3cad3401" /kvno 0 -ptype KRB5_NT_PRINCIPAL ktpass /out c:\temp\1c-tomcat.keytab /mapuser DECADE_SSO_TC.U4AGR.COM /princ HTTP/nlsl-decadetst.u4agr