RE: SSO fails on Tomcat 9

2019-09-25 Thread Heidi Leerink - Duverger
Hello Mark,André,

No success on my side for SSO, I have installed 9.0.26 and changed the config 
according to this mail but no success.

Regards, Heidi Leerink - Duverger

-Oorspronkelijk bericht-
Van: Mark Thomas  
Verzonden: dinsdag 10 september 2019 18:07
Aan: users@tomcat.apache.org
Onderwerp: Re: SSO fails on Tomcat 9

On 10/09/2019 16:47, André Warnier (tomcat) wrote:
> On 10.09.2019 15:38, Mark Thomas wrote:
>> On 06/09/2019 13:20, Heidi Leerink - Duverger wrote:
>>> Hello Mark,
>>>
>>> That helps somewhat, my browser now shows the login page for our 
>>> application, BUT I do not get my username in HTTP variable 
>>> REMOTE_USER but the principal keytab related name.
>>>
>>> So instead of hduverge I get HTTP/nlsl-decadetst.u4agr.com@U$AGR.COM
>>
>> The Tomcat Authenticator takes care of validating the user. In the 
>> configuration you provided the JAASRealm is - effectively - 
>> (re-)validating the contents of the keytab file. That is why you see 
>> the keytab principal as the authenticated user.
>>
>> Try replacing the JAASRealm with the AuthenticatedUserRealm. 
>> Something
>> like:
>>
>>    >   allRolesMode="authOnly"
> 
> Mmm. That looks like a typo, likely to confuse this OP even more, no ?

Yep. Copy paste error. Should be:



Tx.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSO fails on Tomcat 9

2019-09-10 Thread Mark Thomas
On 10/09/2019 16:47, André Warnier (tomcat) wrote:
> On 10.09.2019 15:38, Mark Thomas wrote:
>> On 06/09/2019 13:20, Heidi Leerink - Duverger wrote:
>>> Hello Mark,
>>>
>>> That helps somewhat, my browser now shows the login page for our
>>> application, BUT I do not get my username in HTTP variable
>>> REMOTE_USER but the principal keytab related name.
>>>
>>> So instead of hduverge I get HTTP/nlsl-decadetst.u4agr.com@U$AGR.COM
>>
>> The Tomcat Authenticator takes care of validating the user. In the
>> configuration you provided the JAASRealm is - effectively -
>> (re-)validating the contents of the keytab file. That is why you see the
>> keytab principal as the authenticated user.
>>
>> Try replacing the JAASRealm with the AuthenticatedUserRealm. Something
>> like:
>>
>>    >   allRolesMode="authOnly"
> 
> Mmm. That looks like a typo, likely to confuse this OP even more, no ?

Yep. Copy paste error. Should be:



Tx.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSO fails on Tomcat 9

2019-09-10 Thread tomcat

On 10.09.2019 15:38, Mark Thomas wrote:

On 06/09/2019 13:20, Heidi Leerink - Duverger wrote:

Hello Mark,

That helps somewhat, my browser now shows the login page for our application, 
BUT I do not get my username in HTTP variable REMOTE_USER but the principal 
keytab related name.

So instead of hduverge I get HTTP/nlsl-decadetst.u4agr.com@U$AGR.COM


The Tomcat Authenticator takes care of validating the user. In the
configuration you provided the JAASRealm is - effectively -
(re-)validating the contents of the keytab file. That is why you see the
keytab principal as the authenticated user.

Try replacing the JAASRealm with the AuthenticatedUserRealm. Something like:

   

Mmm. That looks like a typo, likely to confuse this OP even more, no ?



Note: This Realm should *only* be used with Authenticators like
org.apache.catalina.authenticator.SpnegoAuthenticator that authenticate
the user since this Realm simply takes the information provided and
assumes it is valid.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: SSO fails on Tomcat 9

2019-09-10 Thread Mark Thomas
On 06/09/2019 13:20, Heidi Leerink - Duverger wrote:
> Hello Mark,
> 
> That helps somewhat, my browser now shows the login page for our application, 
> BUT I do not get my username in HTTP variable REMOTE_USER but the principal 
> keytab related name.
> 
> So instead of hduverge I get HTTP/nlsl-decadetst.u4agr.com@U$AGR.COM

The Tomcat Authenticator takes care of validating the user. In the
configuration you provided the JAASRealm is - effectively -
(re-)validating the contents of the keytab file. That is why you see the
keytab principal as the authenticated user.

Try replacing the JAASRealm with the AuthenticatedUserRealm. Something like:

  

RE: SSO fails on Tomcat 9

2019-09-06 Thread Heidi Leerink - Duverger
Thank you André for this analysis, 
I am an Oracle developer and I understand most of the reasoning in you answer, 
but I need to chew on it for some time and seek help in our organization for 
Kerberos knowledge.

Our application first only had a database authentication and over time more and 
more customers required SSO.
So I configured Tomcat with Spnego based on an Oracle blog, and that worked 
fine in Tomcat 7 and 8. But now some customers want to upgrade to Tomcat 9
The application only uses the HTTP variable :REMOTE_USER to decide if there is 
a SSO configuration present and if so links the Windows user to an application 
user  and else de user has to login against the database to authenticate.

Met vriendelijke groeten van
Heidi Leerink - Duverger
Technisch Consultant


In business for people.
Unit4 Business Software Netherlands B.V.
Papendorpseweg 100, 3710 BJ Utrecht, Netherlands
T  +31 88 247 1444
E  heidi.duver...@unit4.com
This message and any attachment(s) are intended only for the use of the named 
recipient and may contain information that is privileged, confidential or 
otherwise exempt from disclosure under applicable law. If you are not the 
intended recipient, please notify the sender by return e-mail and delete this 
message from your system. Do not disclose the contents of this document to any 
other persons. Violation of this notice may be unlawful. Please note that 
internet communications are not secure and e-mails are susceptible to change. 
Thank you for your cooperation.

-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: vrijdag 6 september 2019 12:15
To: users@tomcat.apache.org
Subject: Re: SSO fails on Tomcat 9

Hi Heidi.

We have kind of a conundrum here :

- Mark (who is one of the main tomcat developers) tested the SPNEGO (Kerberos) 
authentication under both tomcat8 and tomcat9, using the standard instructions 
provided in the respective on-line tomcat documentation pages, and reported 
that it works in both cases.

- You report that your installation works with tomcat8, but not with tomcat9, 
and that you are using the same infrastructure and the same parameters in both 
cases.
(Someone else also reported a case with problems with tomcat9).

- The description of your problem (and the tomcat9 logfiles) seems to indicate 
a problem with the Kerberos "pre-authentication".
(These lines of the log :

 >>>KRBError:
...  error code is 25
 error Message is Additional pre-authentication required
)

And based on my own previous experience with Windows authentication in general 
(but not Kerberos), it is also my impression that your problem is at the 
Kerberos level, not really at the tomcat level.
I have looked for "Kerberos Additional pre-authentication required" in the www, 
and despite the fact that I do not really know Kerberos, it seems that the 
error message above indicates that your browser and the server cannot even 
agree between them, to actually start exchanging Kerberos tokens (keys) between 
them, to complete a Kerberos authentication.
(And that may be why you see a single 401 response in your logs, and why SPNEGO 
immediately concludes that the user is not authenticated).

(There are also lines in that logfile, which seem to hint at some DNS (name 
resolution) issue, but that may be a false alarm or a secondary issue).

One way to reconcile the above conflicting information, would be if for example 
some SPNEGO Valve parameter, in your configuration, would be unspecified and 
defaulting to some value in your case, and a different value in Mark's case.
(Or vice-versa, that you are specifying a value, and Mark is using the default, 
and the result is not the same.) Another possibility would be that the 
available (or default) encryption methods are different between tomcat8 and 
tomcat9 (or between different browsers), and that in your case and Mark's, the 
browser and the server arrive at different encryption choices and cannot agree 
on a common one.

It may be useful for you and Mark to compare in detail, the settings which you 
use for the SPNEGO Valve (and/or for encryption ?).

Another very vague (and maybe wrong) suspicion that I would have is based on 
some questions :
- does the tomcat hostname play a role in the Kerberos authentication ?
- if yes, does the SPNEGO Valve obtain this name via some 
".getServerName()"-like method, whose result may be different under tomcat8 and 
tomcat9 in some circumstances ?



On 05.09.2019 22:10, Heidi Leerink - Duverger wrote:
> Hello Mark,
>
> I have spent a lot of time comparing both T8 and T9 installations on de 
> nsl-decadetst.u4agr.com PC.
> Sorry but I can't find a major difference in the conf file, apart from 
> differences Tomcat itself came with in the conf files.
> The stdout is mainly the same and the stderr show in Tomcat 8 hduverge 
> authenticated and in Tomcat 9 not authenticate

RE: SSO fails on Tomcat 9

2019-09-06 Thread Heidi Leerink - Duverger
Hello Mark,

That helps somewhat, my browser now shows the login page for our application, 
BUT I do not get my username in HTTP variable REMOTE_USER but the principal 
keytab related name.

So instead of hduverge I get HTTP/nlsl-decadetst.u4agr.com@U$AGR.COM

To be complete this I the keytab creation statement issued by our AD admin:

ktpass /out c:\Temp\tomcat.keytab /mapuser decade_sso...@u4agr.com /princ 
HTTP/nlsl-decadetst.u4agr@u4agr.com /pass "" /kvno 0 -ptype 
KRB5_NT_PRINCIPAL

Met vriendelijke groeten van
Heidi Leerink - Duverger
Technisch Consultant


In business for people.
Unit4 Business Software Netherlands B.V.
Papendorpseweg 100, 3710 BJ Utrecht, Netherlands
T  +31 88 247 1444
E  heidi.duver...@unit4.com
This message and any attachment(s) are intended only for the use of the named 
recipient and may contain information that is privileged, confidential or 
otherwise exempt from disclosure under applicable law. If you are not the 
intended recipient, please notify the sender by return e-mail and delete this 
message from your system. Do not disclose the contents of this document to any 
other persons. Violation of this notice may be unlawful. Please note that 
internet communications are not secure and e-mails are susceptible to change. 
Thank you for your cooperation.

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: vrijdag 6 september 2019 11:55
To: users@tomcat.apache.org
Subject: Re: SSO fails on Tomcat 9

On 05/09/2019 21:10, Heidi Leerink - Duverger wrote:
> Hello Mark,
> 
> I have spent a lot of time comparing both T8 and T9 installations on de 
> nsl-decadetst.u4agr.com PC.
> Sorry but I can't find a major difference in the conf file, apart from 
> differences Tomcat itself came with in the conf files.
> The stdout is mainly the same and the stderr show in Tomcat 8 hduverge 
> authenticated and in Tomcat 9 not authenticated.
> I'm lost now I have no ideas left where to look for differences or how to 
> find a solution for this major issue.
> Attached once again the files from our Tomcat 8 and Tomcat 9 installation.

I took another look and I think the issue is with the JAASRealm configuration 
rather than with SPNEGO.

I think you have been caught out by this change:
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Ftomcat%2Fcommit%2Fb5ca3e08b8cdd998e22f486293bca6b89e2644e3&data=01%7C01%7Cheidi.duverger%40unit4.com%7C1d4983f01ef74742b7fe08d732b03c7d%7Cee137cc45d4343cf9da5f75728b8d21f%7C1&sdata=oHIwRhtka1MiYOIAYg5okvI3BRC0IFNCWaE2oNR%2FZd4%3D&reserved=0

Try adding:

userClassNames="javax.security.auth.kerberos.KerberosPrincipal"

to your JAASRealm configuration in apex42a.xml

Mark


> 
> Met vriendelijke groeten van
> Heidi Leerink - Duverger
> Technisch Consultant
> 
> Met vriendelijke groeten van
> Heidi Leerink - Duverger
> Technisch Consultant
> 
> 
> In business for people.
> Unit4 Business Software Netherlands B.V.
> Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T  +31 88 247 1444 E  
> heidi.duver...@unit4.com This message and any attachment(s) are 
> intended only for the use of the named recipient and may contain information 
> that is privileged, confidential or otherwise exempt from disclosure under 
> applicable law. If you are not the intended recipient, please notify the 
> sender by return e-mail and delete this message from your system. Do not 
> disclose the contents of this document to any other persons. Violation of 
> this notice may be unlawful. Please note that internet communications are not 
> secure and e-mails are susceptible to change. Thank you for your cooperation.
> 
> -Original Message-----
> From: Mark Thomas [mailto:ma...@apache.org]
> Sent: woensdag 4 september 2019 11:09
> To: users@tomcat.apache.org
> Subject: Re: SSO fails on Tomcat 9
> 
> Heidi,
> 
> I have just completed the tests and SPNEGO works as expected with both Tomcat 
> 8.5.x and 9.0.x.
> 
> The test environment was as per:
> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftomca
> t.apache.org%2Ftomcat-9.0-doc%2Fwindows-auth-howto.html&data=01%7C
> 01%7Cheidi.duverger%40unit4.com%7C1d4983f01ef74742b7fe08d732b03c7d%7Ce
> e137cc45d4343cf9da5f75728b8d21f%7C1&sdata=K4sjAdNob45pzLu6Y3TqQf6S
> nd%2BeKdzhwaEVhwSY37g%3D&reserved=0
> 
> with the following changes:
> - Updated the Domain Controller and Tomcat instance with all the latest
>   patches from Windows update
> - Oracle Java 1.8.0u162 / Adopt OpenJDK Java 11.0.4_11 (tested Tomcat
>   running under both)
> - Tomcat 8.5.x, Tomcat 9.0.x (current HEAD at the time of writing),
>   9.0.24 (from the tag)
> 
> The test environment uses separate CATALINA_HOME / CATALINA_BASE so the 
> Tomcat instance

Re: SSO fails on Tomcat 9

2019-09-06 Thread tomcat

Hi Heidi.

We have kind of a conundrum here :

- Mark (who is one of the main tomcat developers) tested the SPNEGO (Kerberos) 
authentication under both tomcat8 and tomcat9, using the standard instructions provided in 
the respective on-line tomcat documentation pages, and reported that it works in both cases.


- You report that your installation works with tomcat8, but not with tomcat9, and that you 
are using the same infrastructure and the same parameters in both cases.

(Someone else also reported a case with problems with tomcat9).

- The description of your problem (and the tomcat9 logfiles) seems to indicate a problem 
with the Kerberos "pre-authentication".

(These lines of the log :

>>>KRBError:
...  error code is 25
 error Message is Additional pre-authentication required
)

And based on my own previous experience with Windows authentication in general (but not 
Kerberos), it is also my impression that your problem is at the Kerberos level, not really 
at the tomcat level.
I have looked for "Kerberos Additional pre-authentication required" in the www, and 
despite the fact that I do not really know Kerberos, it seems that the error message above 
indicates that your browser and the server cannot even agree between them, to actually 
start exchanging Kerberos tokens (keys) between them, to complete a Kerberos authentication.
(And that may be why you see a single 401 response in your logs, and why SPNEGO 
immediately concludes that the user is not authenticated).


(There are also lines in that logfile, which seem to hint at some DNS (name resolution) 
issue, but that may be a false alarm or a secondary issue).


One way to reconcile the above conflicting information, would be if for example some 
SPNEGO Valve parameter, in your configuration, would be unspecified and defaulting to some 
value in your case, and a different value in Mark's case.
(Or vice-versa, that you are specifying a value, and Mark is using the default, and the 
result is not the same.)
Another possibility would be that the available (or default) encryption methods are 
different between tomcat8 and tomcat9 (or between different browsers), and that in your 
case and Mark's, the browser and the server arrive at different encryption choices and 
cannot agree on a common one.


It may be useful for you and Mark to compare in detail, the settings which you use for the 
SPNEGO Valve (and/or for encryption ?).


Another very vague (and maybe wrong) suspicion that I would have is based on 
some questions :
- does the tomcat hostname play a role in the Kerberos authentication ?
- if yes, does the SPNEGO Valve obtain this name via some ".getServerName()"-like method, 
whose result may be different under tomcat8 and tomcat9 in some circumstances ?




On 05.09.2019 22:10, Heidi Leerink - Duverger wrote:

Hello Mark,

I have spent a lot of time comparing both T8 and T9 installations on de 
nsl-decadetst.u4agr.com PC.
Sorry but I can't find a major difference in the conf file, apart from 
differences Tomcat itself came with in the conf files.
The stdout is mainly the same and the stderr show in Tomcat 8 hduverge 
authenticated and in Tomcat 9 not authenticated.
I'm lost now I have no ideas left where to look for differences or how to find 
a solution for this major issue.
Attached once again the files from our Tomcat 8 and Tomcay 9 installation.

Met vriendelijke groeten van
Heidi Leerink - Duverger
Technisch Consultant

Met vriendelijke groeten van
Heidi Leerink - Duverger
Technisch Consultant


In business for people.
Unit4 Business Software Netherlands B.V.
Papendorpseweg 100, 3710 BJ Utrecht, Netherlands
T  +31 88 247 1444
E  heidi.duver...@unit4.com
This message and any attachment(s) are intended only for the use of the named 
recipient and may contain information that is privileged, confidential or 
otherwise exempt from disclosure under applicable law. If you are not the 
intended recipient, please notify the sender by return e-mail and delete this 
message from your system. Do not disclose the contents of this document to any 
other persons. Violation of this notice may be unlawful. Please note that 
internet communications are not secure and e-mails are susceptible to change. 
Thank you for your cooperation.

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: woensdag 4 september 2019 11:09
To: users@tomcat.apache.org
Subject: Re: SSO fails on Tomcat 9

Heidi,

I have just completed the tests and SPNEGO works as expected with both Tomcat 
8.5.x and 9.0.x.

The test environment was as per:
https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftomcat.apache.org%2Ftomcat-9.0-doc%2Fwindows-auth-howto.html&data=01%7C01%7Cheidi.duverger%40unit4.com%7Cc8223b9bd1f34f08008608d731178dde%7Cee137cc45d4343cf9da5f75728b8d21f%7C1&sdata=I%2BJLU837vV78VExqcHdf5Z5MYat2HDEPbNKvpsmq6%2FE%3D&reserved=0

with the following ch

Re: SSO fails on Tomcat 9

2019-09-06 Thread Mark Thomas
On 05/09/2019 21:10, Heidi Leerink - Duverger wrote:
> Hello Mark,
> 
> I have spent a lot of time comparing both T8 and T9 installations on de 
> nsl-decadetst.u4agr.com PC.
> Sorry but I can't find a major difference in the conf file, apart from 
> differences Tomcat itself came with in the conf files.
> The stdout is mainly the same and the stderr show in Tomcat 8 hduverge 
> authenticated and in Tomcat 9 not authenticated.
> I'm lost now I have no ideas left where to look for differences or how to 
> find a solution for this major issue.
> Attached once again the files from our Tomcat 8 and Tomcat 9 installation.

I took another look and I think the issue is with the JAASRealm
configuration rather than with SPNEGO.

I think you have been caught out by this change:
https://github.com/apache/tomcat/commit/b5ca3e08b8cdd998e22f486293bca6b89e2644e3

Try adding:

userClassNames="javax.security.auth.kerberos.KerberosPrincipal"

to your JAASRealm configuration in apex42a.xml

Mark


> 
> Met vriendelijke groeten van
> Heidi Leerink - Duverger
> Technisch Consultant
> 
> Met vriendelijke groeten van
> Heidi Leerink - Duverger
> Technisch Consultant
> 
> 
> In business for people.
> Unit4 Business Software Netherlands B.V.
> Papendorpseweg 100, 3710 BJ Utrecht, Netherlands
> T  +31 88 247 1444
> E  heidi.duver...@unit4.com
> This message and any attachment(s) are intended only for the use of the named 
> recipient and may contain information that is privileged, confidential or 
> otherwise exempt from disclosure under applicable law. If you are not the 
> intended recipient, please notify the sender by return e-mail and delete this 
> message from your system. Do not disclose the contents of this document to 
> any other persons. Violation of this notice may be unlawful. Please note that 
> internet communications are not secure and e-mails are susceptible to change. 
> Thank you for your cooperation.
> 
> -Original Message-
> From: Mark Thomas [mailto:ma...@apache.org] 
> Sent: woensdag 4 september 2019 11:09
> To: users@tomcat.apache.org
> Subject: Re: SSO fails on Tomcat 9
> 
> Heidi,
> 
> I have just completed the tests and SPNEGO works as expected with both Tomcat 
> 8.5.x and 9.0.x.
> 
> The test environment was as per:
> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftomcat.apache.org%2Ftomcat-9.0-doc%2Fwindows-auth-howto.html&data=01%7C01%7Cheidi.duverger%40unit4.com%7Cc8223b9bd1f34f08008608d731178dde%7Cee137cc45d4343cf9da5f75728b8d21f%7C1&sdata=I%2BJLU837vV78VExqcHdf5Z5MYat2HDEPbNKvpsmq6%2FE%3D&reserved=0
> 
> with the following changes:
> - Updated the Domain Controller and Tomcat instance with all the latest
>   patches from Windows update
> - Oracle Java 1.8.0u162 / Adopt OpenJDK Java 11.0.4_11 (tested Tomcat
>   running under both)
> - Tomcat 8.5.x, Tomcat 9.0.x (current HEAD at the time of writing),
>   9.0.24 (from the tag)
> 
> The test environment uses separate CATALINA_HOME / CATALINA_BASE so the 
> Tomcat instance configuration (CATALINA_BASE) is guaranteed to be identical 
> while I vary the Tomcat binary (CATALINA_HOME) to use.
> 
> 
> It looks like there is something not quite right with the Tomcat 9 
> configuration.
> 
> You could try adding:
> 
> -Dsun.security.spnego.debug=true
> 
> in setenv.bat. That might provide some insight although I've had mixed 
> experience using that to debug SPNEGO issues in the past.
> 
> 
> 
>>> Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more 
>>> strict than the Tomcat 8 implementation was...
> I haven't found any evidence to support the above conclusion at this point. 
> All the evidence so far (diff of the relevant code and my own test 
> environment) points to a configuration difference in your Tomcat 9 
> installation.
> 
> You mentioned starting and stopping services. I wondered if the change of 
> default user from "Local System" to "Local Service" had triggered this issue 
> but that makes no difference.
> 
> Looking at your log files in more detail, I do notice a few things:
> 
> -Djava.security.krb5.ini=...
> 
> The above system property is incorrect. It should be:
> 
> -Djava.security.krb5.conf=...
> 
> It won't impact your environment because it appears to be set to the default. 
> This affects both Tomcat 8 and Tomcat 9.
> 
> The conf\krb5.ini does not specify the keytab file. In the config files in 
> the Tomcat docs this looks like:
> default_keytab_name = FILE:c:\apache-tomcat-9.0.x\conf\tomcat.keytab
> 
> The debug logs for the authentication p

Re: SSO fails on Tomcat 9

2019-09-04 Thread Mark Thomas
Heidi,

I have just completed the tests and SPNEGO works as expected with both
Tomcat 8.5.x and 9.0.x.

The test environment was as per:
http://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html

with the following changes:
- Updated the Domain Controller and Tomcat instance with all the latest
  patches from Windows update
- Oracle Java 1.8.0u162 / Adopt OpenJDK Java 11.0.4_11 (tested Tomcat
  running under both)
- Tomcat 8.5.x, Tomcat 9.0.x (current HEAD at the time of writing),
  9.0.24 (from the tag)

The test environment uses separate CATALINA_HOME / CATALINA_BASE so the
Tomcat instance configuration (CATALINA_BASE) is guaranteed to be
identical while I vary the Tomcat binary (CATALINA_HOME) to use.


It looks like there is something not quite right with the Tomcat 9
configuration.

You could try adding:

-Dsun.security.spnego.debug=true

in setenv.bat. That might provide some insight although I've had mixed
experience using that to debug SPNEGO issues in the past.



>> Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more 
>> strict than the Tomcat 8 implementation was...
I haven't found any evidence to support the above conclusion at this
point. All the evidence so far (diff of the relevant code and my own
test environment) points to a configuration difference in your Tomcat 9
installation.

You mentioned starting and stopping services. I wondered if the change
of default user from "Local System" to "Local Service" had triggered
this issue but that makes no difference.

Looking at your log files in more detail, I do notice a few things:

-Djava.security.krb5.ini=...

The above system property is incorrect. It should be:

-Djava.security.krb5.conf=...

It won't impact your environment because it appears to be set to the
default. This affects both Tomcat 8 and Tomcat 9.

The conf\krb5.ini does not specify the keytab file. In the config files
in the Tomcat docs this looks like:
default_keytab_name = FILE:c:\apache-tomcat-9.0.x\conf\tomcat.keytab

The debug logs for the authentication processes look very different.
That strongly suggests that the configurations are not the same. I would
concentrated on comparing the configuration of the two systems.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: SSO fails on Tomcat 9

2019-09-03 Thread Heidi Leerink - Duverger
Thanks Mark!

Take your time, I have in a meeting tomorrow most part of the day...

Heidi

Met vriendelijke groeten van
Heidi Leerink - Duverger
Technisch Consultant


In business for people.
Unit4 Business Software Netherlands B.V.
Papendorpseweg 100, 3710 BJ Utrecht, Netherlands
T  +31 88 247 1444
E  heidi.duver...@unit4.com
This message and any attachment(s) are intended only for the use of the named 
recipient and may contain information that is privileged, confidential or 
otherwise exempt from disclosure under applicable law. If you are not the 
intended recipient, please notify the sender by return e-mail and delete this 
message from your system. Do not disclose the contents of this document to any 
other persons. Violation of this notice may be unlawful. Please note that 
internet communications are not secure and e-mails are susceptible to change. 
Thank you for your cooperation.

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: dinsdag 3 september 2019 20:31
To: users@tomcat.apache.org
Subject: Re: SSO fails on Tomcat 9

Heidi,

I have the set of test VMs I used when first implementing this feature.
They are the ones I used when I wrote:
https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftomcat.apache.org%2Ftomcat-9.0-doc%2Fwindows-auth-howto.html&data=01%7C01%7Cheidi.duverger%40unit4.com%7C4fd1fb493ccf40d2b02008d7309ce714%7Cee137cc45d4343cf9da5f75728b8d21f%7C1&sdata=Mro6GR3fy4X2cEpm0mbZBwszTt1jfHl7knJifFnKrao%3D&reserved=0

I'll fire them up, install 9.0.24, test and report back.

I have done a quick diff of the key classes between 9.0.x and 8.5.x and I don't 
see any changes that should cause problems.

Experience tells me I am going to spend more time getting the VMs updated with 
the latest patches (I don't turn them on that often) than I am going to spend 
testing. Don't be surprised if it takes until tomorrow for me to report back.

Mark


On 03/09/2019 17:38, Heidi Leerink - Duverger wrote:
>  Hello Alex,
> 
> This is the result of the nslookup:
> 
> C:\Users\hduverge>nslookup nlsl-decadetest
> Server:  nlsl-dccrp01p.corp.u4agr.com
> Address:  10.100.2.2
> 
> *** nlsl-dccrp01p.corp.u4agr.com can't find nlsl-decadetest: 
> Non-existent domain
> 
> C:\Users\hduverge>
> C:\Users\hduverge>nslookup nlsl-decadetest.u4agr.com
> Server:  nlsl-dccrp01p.corp.u4agr.com
> Address:  10.100.2.2
> 
> *** nlsl-dccrp01p.corp.u4agr.com can't find nlsl-decadetest.u4agr.com: 
> Non-existent domain
> 
>> Q3: Is the PC where you are using the browser to test, also the same one 
>> where Tomcat is installed ?
>> (I am not sure that this type of authentication should work, if the same 
>> machine is at the same time the client and the server) In any case, it may 
>> >be a good idea if you tested the same access, with a browser on another PC 
>> workstation.
> I test the SSO URL on my own desktop in Google chrome and IE11, but if I test 
> de URL in IE11 on de nls-decadetest it asks for a window login and then gives 
> the same error as I get on my desktop.
> 
> I think that it would be better to move this test to a real server , but ATM 
> we have everything in the cloud (azure) and it is so nearly impossible to get 
> a setup (AD user principal and tomcat.keytab) from support, but I will check 
> if I can further test at our customers site
> 
> Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more 
> strict than the Tomcat 8 implementation was...
> 
> Met vriendelijke groeten van
> Heidi Leerink - Duverger
> Technisch Consultant
> 
> 
> In business for people.
> Unit4 Business Software Netherlands B.V.
> Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T  +31 88 247 1444 E  
> heidi.duver...@unit4.com This message and any attachment(s) are 
> intended only for the use of the named recipient and may contain information 
> that is privileged, confidential or otherwise exempt from disclosure under 
> applicable law. If you are not the intended recipient, please notify the 
> sender by return e-mail and delete this message from your system. Do not 
> disclose the contents of this document to any other persons. Violation of 
> this notice may be unlawful. Please note that internet communications are not 
> secure and e-mails are susceptible to change. Thank you for your cooperation.
> 
> -Original Message-
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
> Sent: dinsdag 3 september 2019 14:27
> To: users@tomcat.apache.org
> Subject: Re: SSO fails on Tomcat 9
> 
> Hi.
> See below.
> 
> On 03.09.2019 11:56, Heidi Leerink - Duverger wrote:
>> Hello Alex,
>>
>> Thank you for the extensive answer.
>>
>> Q1: Are you sure that it is *exactly* the same 

Re: SSO fails on Tomcat 9

2019-09-03 Thread Mark Thomas
Heidi,

I have the set of test VMs I used when first implementing this feature.
They are the ones I used when I wrote:
http://tomcat.apache.org/tomcat-9.0-doc/windows-auth-howto.html

I'll fire them up, install 9.0.24, test and report back.

I have done a quick diff of the key classes between 9.0.x and 8.5.x and
I don't see any changes that should cause problems.

Experience tells me I am going to spend more time getting the VMs
updated with the latest patches (I don't turn them on that often) than I
am going to spend testing. Don't be surprised if it takes until tomorrow
for me to report back.

Mark


On 03/09/2019 17:38, Heidi Leerink - Duverger wrote:
>  Hello Alex,
> 
> This is the result of the nslookup:
> 
> C:\Users\hduverge>nslookup nlsl-decadetest
> Server:  nlsl-dccrp01p.corp.u4agr.com
> Address:  10.100.2.2
> 
> *** nlsl-dccrp01p.corp.u4agr.com can't find nlsl-decadetest: Non-existent 
> domain
> 
> C:\Users\hduverge>
> C:\Users\hduverge>nslookup nlsl-decadetest.u4agr.com
> Server:  nlsl-dccrp01p.corp.u4agr.com
> Address:  10.100.2.2
> 
> *** nlsl-dccrp01p.corp.u4agr.com can't find nlsl-decadetest.u4agr.com: 
> Non-existent domain
> 
>> Q3: Is the PC where you are using the browser to test, also the same one 
>> where Tomcat is installed ?
>> (I am not sure that this type of authentication should work, if the same 
>> machine is at the same time the client and the server) In any case, it may 
>> >be a good idea if you tested the same access, with a browser on another PC 
>> workstation.
> I test the SSO URL on my own desktop in Google chrome and IE11, but if I test 
> de URL in IE11 on de nls-decadetest it asks for a window login and then gives 
> the same error as I get on my desktop.
> 
> I think that it would be better to move this test to a real server , but ATM 
> we have everything in the cloud (azure) and it is so nearly impossible to get 
> a setup (AD user principal and tomcat.keytab) from support, but I will check 
> if I can further test at our customers site
> 
> Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more 
> strict than the Tomcat 8 implementation was...
> 
> Met vriendelijke groeten van
> Heidi Leerink - Duverger
> Technisch Consultant
> 
> 
> In business for people.
> Unit4 Business Software Netherlands B.V.
> Papendorpseweg 100, 3710 BJ Utrecht, Netherlands
> T  +31 88 247 1444
> E  heidi.duver...@unit4.com
> This message and any attachment(s) are intended only for the use of the named 
> recipient and may contain information that is privileged, confidential or 
> otherwise exempt from disclosure under applicable law. If you are not the 
> intended recipient, please notify the sender by return e-mail and delete this 
> message from your system. Do not disclose the contents of this document to 
> any other persons. Violation of this notice may be unlawful. Please note that 
> internet communications are not secure and e-mails are susceptible to change. 
> Thank you for your cooperation.
> 
> -Original Message-
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
> Sent: dinsdag 3 september 2019 14:27
> To: users@tomcat.apache.org
> Subject: Re: SSO fails on Tomcat 9
> 
> Hi.
> See below.
> 
> On 03.09.2019 11:56, Heidi Leerink - Duverger wrote:
>> Hello Alex,
>>
>> Thank you for the extensive answer.
>>
>> Q1: Are you sure that it is *exactly* the same ?
>> Yes the installation is done on the same PC with the same user principal for 
>> the Tomcat service to log in .
>> The Tomcat 8 service is stopped during the Tomcat 9 test.
>> We had the exact same problem when installing in a test environment at one 
>> of our Customer sites. Most of our customers that are using SSO with our 
>> application are still using Tomcat 8 with no problems and all with the same 
>> spnego config.
>> My colleague initially set up this Tomcat 9 installation using a few tomcat 
>> 9 versions ( .8 .20 and .24). I myself, reinstalled and configured Tomcat 
>> 9.024 from scratch, with no success and always the same results.
>>
> 
> Q3: Is the PC where you are using the browser to test, also the same one 
> where Tomcat is installed ?
> (I am not sure that this type of authentication should work, if the same 
> machine is at the same time the client and the server) In any case, it may be 
> a good idea if you tested the same access, with a browser on another PC 
> workstation.
> 
>> Q2: when "it does not work", does the browser popup a login dialog ?
>> Yes I have seen that one be not with the recent config.
>> Browser response :
>>
>> Google Chrome
&

RE: SSO fails on Tomcat 9

2019-09-03 Thread Heidi Leerink - Duverger
 Hello Alex,

This is the result of the nslookup:

C:\Users\hduverge>nslookup nlsl-decadetest
Server:  nlsl-dccrp01p.corp.u4agr.com
Address:  10.100.2.2

*** nlsl-dccrp01p.corp.u4agr.com can't find nlsl-decadetest: Non-existent domain

C:\Users\hduverge>
C:\Users\hduverge>nslookup nlsl-decadetest.u4agr.com
Server:  nlsl-dccrp01p.corp.u4agr.com
Address:  10.100.2.2

*** nlsl-dccrp01p.corp.u4agr.com can't find nlsl-decadetest.u4agr.com: 
Non-existent domain

>Q3: Is the PC where you are using the browser to test, also the same one where 
>Tomcat is installed ?
>(I am not sure that this type of authentication should work, if the same 
>machine is at the same time the client and the server) In any case, it may >be 
>a good idea if you tested the same access, with a browser on another PC 
>workstation.
I test the SSO URL on my own desktop in Google chrome and IE11, but if I test 
de URL in IE11 on de nls-decadetest it asks for a window login and then gives 
the same error as I get on my desktop.

I think that it would be better to move this test to a real server , but ATM we 
have everything in the cloud (azure) and it is so nearly impossible to get a 
setup (AD user principal and tomcat.keytab) from support, but I will check if I 
can further test at our customers site

Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more 
strict than the Tomcat 8 implementation was...

Met vriendelijke groeten van
Heidi Leerink - Duverger
Technisch Consultant


In business for people.
Unit4 Business Software Netherlands B.V.
Papendorpseweg 100, 3710 BJ Utrecht, Netherlands
T  +31 88 247 1444
E  heidi.duver...@unit4.com
This message and any attachment(s) are intended only for the use of the named 
recipient and may contain information that is privileged, confidential or 
otherwise exempt from disclosure under applicable law. If you are not the 
intended recipient, please notify the sender by return e-mail and delete this 
message from your system. Do not disclose the contents of this document to any 
other persons. Violation of this notice may be unlawful. Please note that 
internet communications are not secure and e-mails are susceptible to change. 
Thank you for your cooperation.

-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: dinsdag 3 september 2019 14:27
To: users@tomcat.apache.org
Subject: Re: SSO fails on Tomcat 9

Hi.
See below.

On 03.09.2019 11:56, Heidi Leerink - Duverger wrote:
> Hello Alex,
>
> Thank you for the extensive answer.
>
> Q1: Are you sure that it is *exactly* the same ?
> Yes the installation is done on the same PC with the same user principal for 
> the Tomcat service to log in .
> The Tomcat 8 service is stopped during the Tomcat 9 test.
> We had the exact same problem when installing in a test environment at one of 
> our Customer sites. Most of our customers that are using SSO with our 
> application are still using Tomcat 8 with no problems and all with the same 
> spnego config.
> My colleague initially set up this Tomcat 9 installation using a few tomcat 9 
> versions ( .8 .20 and .24). I myself, reinstalled and configured Tomcat 9.024 
> from scratch, with no success and always the same results.
>

Q3: Is the PC where you are using the browser to test, also the same one where 
Tomcat is installed ?
(I am not sure that this type of authentication should work, if the same 
machine is at the same time the client and the server) In any case, it may be a 
good idea if you tested the same access, with a browser on another PC 
workstation.

> Q2: when "it does not work", does the browser popup a login dialog ?
> Yes I have seen that one be not with the recent config.
> Browser response :
>
> Google Chrome
> This site can't be reachedThe webpage at http://nlsl-decadetst:8787/apex42a/ 
> might be temporarily down or it may have moved permanently to a new web 
> address.
> ERR_INVALID_RESPONSE
>
> Internet Explorer 11:
> Can't reach this page
> .Make sure the web address http://nlsl-decadetst:8787 is correct 
> .Search for this site on Bing .Refresh the page More information  More 
> information The connection to the website was reset.
> Error Code: INET_E_DOWNLOAD_FAILURE
>

Both of the errors above indicate more a DNS or TCP issue, than a tomcat or 
authentication issue.
(As shown, they indicate that the browser can either not find the server 
"nlsl-decadetst", or cannot make a TCP connection to "nlsl-decadetst:8787")

On the same workstation PC where you are doing these tests, can you
a) open a command window
b) enter : nslookup nlsl-decadetst
c) tell us what the response is ?
d) enter : nslookup nlsl-decadetst.u4agr.com
e) tell us what the response is ?

> (attachements the most recent stderr and stdout)
>

Unfortunately, I am no Kerberos specialist a

Re: SSO fails on Tomcat 9

2019-09-03 Thread tomcat

Hi.
See below.

On 03.09.2019 11:56, Heidi Leerink - Duverger wrote:

Hello Alex,

Thank you for the extensive answer.

Q1: Are you sure that it is *exactly* the same ?
Yes the installation is done on the same PC with the same user principal for 
the Tomcat service to log in .
The Tomcat 8 service is stopped during the Tomcat 9 test.
We had the exact same problem when installing in a test environment at one of 
our Customer sites. Most of our customers that are using SSO with our 
application are still using Tomcat 8 with no problems and all with the same 
spnego config.
My colleague initially set up this Tomcat 9 installation using a few tomcat 9 
versions ( .8 .20 and .24). I myself, reinstalled and configured Tomcat 9.024 
from scratch, with no success and always the same results.



Q3: Is the PC where you are using the browser to test, also the same one where Tomcat is 
installed ?
(I am not sure that this type of authentication should work, if the same machine is at the 
same time the client and the server)
In any case, it may be a good idea if you tested the same access, with a browser on 
another PC workstation.



Q2: when "it does not work", does the browser popup a login dialog ?
Yes I have seen that one be not with the recent config.
Browser response :

Google Chrome
This site can't be reachedThe webpage at http://nlsl-decadetst:8787/apex42a/ 
might be temporarily down or it may have moved permanently to a new web address.
ERR_INVALID_RESPONSE

Internet Explorer 11:
Can't reach this page
.Make sure the web address http://nlsl-decadetst:8787 is correct
.Search for this site on Bing
.Refresh the page
More information  More information
The connection to the website was reset.
Error Code: INET_E_DOWNLOAD_FAILURE



Both of the errors above indicate more a DNS or TCP issue, than a tomcat or authentication 
issue.
(As shown, they indicate that the browser can either not find the server "nlsl-decadetst", 
or cannot make a TCP connection to "nlsl-decadetst:8787")


On the same workstation PC where you are doing these tests, can you
a) open a command window
b) enter : nslookup nlsl-decadetst
c) tell us what the response is ?
d) enter : nslookup nlsl-decadetst.u4agr.com
e) tell us what the response is ?


(attachements the most recent stderr and stdout)



Unfortunately, I am no Kerberos specialist and cannot tell you what the messages in the 
log really mean.

But the following (from the stderr) should probably be investigated further :
>>>KRBError:
 sTime is Tue Sep 03 11:47:29 CEST 2019 1567504049000
 suSec is 329207
 error code is 25
 error Message is Additional pre-authentication required
 sname is krbtgt/u4agr@u4agr.com
 eData provided.
 msgType is 30

That seems to indicate that something is not working as expected, at the 
Kerberos level.


Note : why it would work with tomcat8 and not with tomcat9 is still not clear to me, 
unless there have been some changes between the tomcat8 SPNEGO Valve and the tomcat9 
SPNGEGO Valve, or else maybe in terms of the tomcat hostname considerations.




I know off Fiddler2 but never used it before, I will try to set that up...


Met vriendelijke groeten van
Heidi Leerink - Duverger
Technisch Consultant


In business for people.
Unit4 Business Software Netherlands B.V.
Papendorpseweg 100, 3710 BJ Utrecht, Netherlands
T  +31 88 247 1444
E  heidi.duver...@unit4.com
This message and any attachment(s) are intended only for the use of the named 
recipient and may contain information that is privileged, confidential or 
otherwise exempt from disclosure under applicable law. If you are not the 
intended recipient, please notify the sender by return e-mail and delete this 
message from your system. Do not disclose the contents of this document to any 
other persons. Violation of this notice may be unlawful. Please note that 
internet communications are not secure and e-mails are susceptible to change. 
Thank you for your cooperation.

-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: dinsdag 3 september 2019 10:39
To: users@tomcat.apache.org
Subject: Re: SSO fails on Tomcat 9

Hello Heidi.

Thank you for the complete information provided in your post below.

I do not have any experience with the Tomcat SPNEGO Valve per se, but quite a 
bit of experience with Windows Integrated Authentication.
To me, the symptoms that you describe below, do not really look like a problem 
at the Tomcat level, but more like a problem between the browser and the 
Windows authentication in general.

See notes and questions in the text below.

On 02.09.2019 12:35, Heidi Leerink - Duverger wrote:

We have the following problem with connecting from the tomcat
environment 9.024 with the Active Directory of Windows, Kerberos
database. (win2008 DC's)

In Tomcat's log files, with Tomcat8, which gives no problems, it is
connected to the Act

RE: SSO fails on Tomcat 9

2019-09-03 Thread Heidi Leerink - Duverger
Hello Alex,

Thank you for the extensive answer.

Q1: Are you sure that it is *exactly* the same ?
Yes the installation is done on the same PC with the same user principal for 
the Tomcat service to log in .
The Tomcat 8 service is stopped during the Tomcat 9 test.
We had the exact same problem when installing in a test environment at one of 
our Customer sites. Most of our customers that are using SSO with our 
application are still using Tomcat 8 with no problems and all with the same 
spnego config.
My colleague initially set up this Tomcat 9 installation using a few tomcat 9 
versions ( .8 .20 and .24). I myself, reinstalled and configured Tomcat 9.024 
from scratch, with no success and always the same results.

Q2: when "it does not work", does the browser popup a login dialog ?
Yes I have seen that one be not with the recent config.
Browser response :

Google Chrome
This site can't be reachedThe webpage at http://nlsl-decadetst:8787/apex42a/ 
might be temporarily down or it may have moved permanently to a new web address.
ERR_INVALID_RESPONSE

Internet Explorer 11:
Can't reach this page
.Make sure the web address http://nlsl-decadetst:8787 is correct
.Search for this site on Bing
.Refresh the page
More information  More information   
The connection to the website was reset.
Error Code: INET_E_DOWNLOAD_FAILURE

(attachements the most recent stderr and stdout)


I know off Fiddler2 but never used it before, I will try to set that up...


Met vriendelijke groeten van
Heidi Leerink - Duverger
Technisch Consultant


In business for people.
Unit4 Business Software Netherlands B.V.
Papendorpseweg 100, 3710 BJ Utrecht, Netherlands
T  +31 88 247 1444
E  heidi.duver...@unit4.com
This message and any attachment(s) are intended only for the use of the named 
recipient and may contain information that is privileged, confidential or 
otherwise exempt from disclosure under applicable law. If you are not the 
intended recipient, please notify the sender by return e-mail and delete this 
message from your system. Do not disclose the contents of this document to any 
other persons. Violation of this notice may be unlawful. Please note that 
internet communications are not secure and e-mails are susceptible to change. 
Thank you for your cooperation.

-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: dinsdag 3 september 2019 10:39
To: users@tomcat.apache.org
Subject: Re: SSO fails on Tomcat 9

Hello Heidi.

Thank you for the complete information provided in your post below.

I do not have any experience with the Tomcat SPNEGO Valve per se, but quite a 
bit of experience with Windows Integrated Authentication.
To me, the symptoms that you describe below, do not really look like a problem 
at the Tomcat level, but more like a problem between the browser and the 
Windows authentication in general.

See notes and questions in the text below.

On 02.09.2019 12:35, Heidi Leerink - Duverger wrote:
> We have the following problem with connecting from the tomcat 
> environment 9.024 with the Active Directory of Windows, Kerberos 
> database. (win2008 DC's)
>
> In Tomcat's log files, with Tomcat8, which gives no problems, it is 
> connected to the Active directory.
>
> It indicates that a login attempt is made 3 times whether the person 
> can log in with the Active directory account.
>
> After that the login is accepted and qualified as successful.
>
> In tomcat 9, different versions tried, also version 9.024, the control 
> of 1 attempt becomes visible,
>
> which is successful. But then the check is stopped (not 3 times as 
> Tomcat8) and the connection is marked as unsuccessful.
>
> The environment for Tomcat9 is the same as from Tomcat8.

Q1: Are you sure that it is *exactly* the same ?
For example, do the tomcat8 installation, and the tomcat9 installation, run on 
the same server, and is the server *domain* the same in both cases ?

Q2: when "it does not work", does the browser popup a login dialog ?

Reason for the questions :
Typically, a succesful Windows authentication consists of indeed 3 exchanges 
(what you say happens with tomcat8).
The first of these exchanges consists of the browser requesting the original 
URL.
The server then responds with a 401 response ("need authentication"), in which 
it indicates that it wants an authentication, of the SPNEGO type.
The browser then normally responds with a 2d request for the same URL, 
containing a partial "Authorization:" header containing some encrypted token.
If the browser does NOT send this 2d request, it indicates that *the browser 
refuses* to do an SPNEGO authentication in this case.
And that happens when the browser does not think that the server "can be 
trusted" for doing SPNEGO authentication.
The browser will not trust the server, if it thinks that the server is not in 
the same domain as itse

Re: SSO fails on Tomcat 9

2019-09-03 Thread tomcat

Hello Heidi.

Thank you for the complete information provided in your post below.

I do not have any experience with the Tomcat SPNEGO Valve per se, but quite a bit of 
experience with Windows Integrated Authentication.
To me, the symptoms that you describe below, do not really look like a problem at the 
Tomcat level, but more like a problem between the browser and the Windows authentication 
in general.


See notes and questions in the text below.

On 02.09.2019 12:35, Heidi Leerink - Duverger wrote:

We have the following problem with connecting from the tomcat environment 9.024 
with the
Active Directory of Windows, Kerberos database. (win2008 DC's)

In Tomcat's log files, with Tomcat8, which gives no problems, it is connected 
to the
Active directory.

It indicates that a login attempt is made 3 times whether the person can log in 
with the
Active directory account.

After that the login is accepted and qualified as successful.

In tomcat 9, different versions tried, also version 9.024, the control of 1 
attempt
becomes visible,

which is successful. But then the check is stopped (not 3 times as Tomcat8) and 
the
connection is marked as unsuccessful.

The environment for Tomcat9 is the same as from Tomcat8.


Q1: Are you sure that it is *exactly* the same ?
For example, do the tomcat8 installation, and the tomcat9 installation, run on the same 
server, and is the server *domain* the same in both cases ?


Q2: when "it does not work", does the browser popup a login dialog ?

Reason for the questions :
Typically, a succesful Windows authentication consists of indeed 3 exchanges (what you say 
happens with tomcat8).

The first of these exchanges consists of the browser requesting the original 
URL.
The server then responds with a 401 response ("need authentication"), in which it 
indicates that it wants an authentication, of the SPNEGO type.
The browser then normally responds with a 2d request for the same URL, containing a 
partial "Authorization:" header containing some encrypted token.
If the browser does NOT send this 2d request, it indicates that *the browser refuses* to 
do an SPNEGO authentication in this case.
And that happens when the browser does not think that the server "can be trusted" for 
doing SPNEGO authentication.
The browser will not trust the server, if it thinks that the server is not in the same 
domain as itself (unless you have manually added this server in the "trusted servers", at 
the browser level).


Q2: Usually, when the browser refuses to do a WIA authentication, it tries a Basic 
authentication instead, and this login dialog pops up.  With Windows authentication, that 
is usually the first sign that something is not correct in the browser/server setup.


Note: I'm not saying that this IS your problem. But it is the first thing to verify, with 
WIA authentication.


To see this more clearly, you could try to install on the workstation, some software that 
allows you to trace the HTTP exchanges between the browser and the server (example : 
Fiddler2), and compare what happens with tomcat8 and tomcat9 (look at the HTTP headers for 
request/response).




Windows 10 PRO

Oracle database rdbms 11.203

Apex 4.2.3.008

Ords2019 - Oracle listener

ojdbc6.jar

Tried both java versions:

E:\java\jre64b\bin>java -version

java version "1.8.0_202"

Java(TM) SE Runtime Environment (build 1.8.0_202-b08)

Java HotSpot(TM) 64-Bit Server VM (build 25.202-b08, mixed mode)

And

E:\java\openjdk\bin>java -version

openjdk version "11.0.1" 2018-10-16

OpenJDK Runtime Environment 18.9 (build 11.0.1+13)

OpenJDK 64-Bit Server VM 18.9 (build 11.0.1+13, mixed mode)

Tomcat 9.024 directory structure.

( log files in the attachments )

e:\Tomcat9\

\Cataline\localhost\apex42a.xml

+++...+++





   

   



+++...+++

\conf\jaas.conf

+++...+++

APEX42A {

 com.sun.security.auth.module.Krb5LoginModule required

 doNotPrompt=true

 principal="HTTP/nlsl-decadetst.u4agr@u4agr.com"

 useKeyTab=true

 keyTab="E:/Decade_appl/Tomcat9/conf/tomcat.keytab"

 storeKey=true;

};

+++...+++

\conf\krb5.ini

+++...+++

[libdefaults]

  default_realm= U4AGR.COM

  default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 
aes128-cts-hmac-sha1-96

  default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96 
aes128-cts-hmac-sha1-96

  permitted_enctypes   = rc4-hmac aes256-cts-hmac-sha1-96 
aes128-cts-hmac-sha1-96

  dns_lookup_kdc = true

  dns_lookup_relam = false

[realms]

  U4AGR.COM = {

 kdc = u4agr.com

 default_domain = U4AGR.COM

}

[domain_realm]

.u4agr.com= U4AGR.COM

u4agr.com= U4AGR.COM

+++...+++

\conf\tomcat.keytab

Creation statement for tomcat.keytab:

ktpass /out c:\Temp\tomcat.keytab /mapuser DECADE_SSO_TC.U4AGR.COM /princ
HTTP/nlsl-decadetst.u4agr@u4agr.com /pass "D3cad3401" /kvno 0 -ptype 
KRB5_NT_PRINCIPAL

ktpass /out c:\temp\1c-tomcat.keytab /mapuser DECADE_SSO_TC.U4AGR.COM /princ
HTTP/nlsl-decadetst.u4agr