Hi Heidi.
We have kind of a conundrum here :
- Mark (who is one of the main tomcat developers) tested the SPNEGO (Kerberos)
authentication under both tomcat8 and tomcat9, using the standard instructions provided in
the respective on-line tomcat documentation pages, and reported that it works in both cases.
- You report that your installation works with tomcat8, but not with tomcat9, and that you
are using the same infrastructure and the same parameters in both cases.
(Someone else also reported a case with problems with tomcat9).
- The description of your problem (and the tomcat9 logfiles) seems to indicate a problem
with the Kerberos "pre-authentication".
(These lines of the log :
>>>KRBError:
... error code is 25
error Message is Additional pre-authentication required
)
And based on my own previous experience with Windows authentication in general (but not
Kerberos), it is also my impression that your problem is at the Kerberos level, not really
at the tomcat level.
I have looked for "Kerberos Additional pre-authentication required" in the www, and
despite the fact that I do not really know Kerberos, it seems that the error message above
indicates that your browser and the server cannot even agree between them, to actually
start exchanging Kerberos tokens (keys) between them, to complete a Kerberos authentication.
(And that may be why you see a single 401 response in your logs, and why SPNEGO
immediately concludes that the user is not authenticated).
(There are also lines in that logfile, which seem to hint at some DNS (name resolution)
issue, but that may be a false alarm or a secondary issue).
One way to reconcile the above conflicting information, would be if for example some
SPNEGO Valve parameter, in your configuration, would be unspecified and defaulting to some
value in your case, and a different value in Mark's case.
(Or vice-versa, that you are specifying a value, and Mark is using the default, and the
result is not the same.)
Another possibility would be that the available (or default) encryption methods are
different between tomcat8 and tomcat9 (or between different browsers), and that in your
case and Mark's, the browser and the server arrive at different encryption choices and
cannot agree on a common one.
It may be useful for you and Mark to compare in detail, the settings which you use for the
SPNEGO Valve (and/or for encryption ?).
Another very vague (and maybe wrong) suspicion that I would have is based on
some questions :
- does the tomcat hostname play a role in the Kerberos authentication ?
- if yes, does the SPNEGO Valve obtain this name via some ".getServerName()"-like method,
whose result may be different under tomcat8 and tomcat9 in some circumstances ?
On 05.09.2019 22:10, Heidi Leerink - Duverger wrote:
Hello Mark,
I have spent a lot of time comparing both T8 and T9 installations on de
nsl-decadetst.u4agr.com PC.
Sorry but I can't find a major difference in the conf file, apart from
differences Tomcat itself came with in the conf files.
The stdout is mainly the same and the stderr show in Tomcat 8 hduverge
authenticated and in Tomcat 9 not authenticated.
I'm lost now I have no ideas left where to look for differences or how to find
a solution for this major issue.
Attached once again the files from our Tomcat 8 and Tomcay 9 installation.
Met vriendelijke groeten van
Heidi Leerink - Duverger
Technisch Consultant
Met vriendelijke groeten van
Heidi Leerink - Duverger
Technisch Consultant
In business for people.
Unit4 Business Software Netherlands B.V.
Papendorpseweg 100, 3710 BJ Utrecht, Netherlands
T +31 88 247 1444
E heidi.duver...@unit4.com
This message and any attachment(s) are intended only for the use of the named
recipient and may contain information that is privileged, confidential or
otherwise exempt from disclosure under applicable law. If you are not the
intended recipient, please notify the sender by return e-mail and delete this
message from your system. Do not disclose the contents of this document to any
other persons. Violation of this notice may be unlawful. Please note that
internet communications are not secure and e-mails are susceptible to change.
Thank you for your cooperation.
-----Original Message-----
From: Mark Thomas [mailto:ma...@apache.org]
Sent: woensdag 4 september 2019 11:09
To: users@tomcat.apache.org
Subject: Re: SSO fails on Tomcat 9
Heidi,
I have just completed the tests and SPNEGO works as expected with both Tomcat
8.5.x and 9.0.x.
The test environment was as per:
https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftomcat.apache.org%2Ftomcat-9.0-doc%2Fwindows-auth-howto.html&data=01%7C01%7Cheidi.duverger%40unit4.com%7Cc8223b9bd1f34f08008608d731178dde%7Cee137cc45d4343cf9da5f75728b8d21f%7C1&sdata=I%2BJLU837vV78VExqcHdf5Z5MYat2HDEPbNKvpsmq6%2FE%3D&reserved=0
with the following changes:
- Updated the Domain Controller and Tomcat instance with all the latest
patches from Windows update
- Oracle Java 1.8.0u162 / Adopt OpenJDK Java 11.0.4_11 (tested Tomcat
running under both)
- Tomcat 8.5.x, Tomcat 9.0.x (current HEAD at the time of writing),
9.0.24 (from the tag)
The test environment uses separate CATALINA_HOME / CATALINA_BASE so the Tomcat
instance configuration (CATALINA_BASE) is guaranteed to be identical while I
vary the Tomcat binary (CATALINA_HOME) to use.
It looks like there is something not quite right with the Tomcat 9
configuration.
You could try adding:
-Dsun.security.spnego.debug=true
in setenv.bat. That might provide some insight although I've had mixed
experience using that to debug SPNEGO issues in the past.
<snip/>
Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more
strict than the Tomcat 8 implementation was...
I haven't found any evidence to support the above conclusion at this point. All
the evidence so far (diff of the relevant code and my own test environment)
points to a configuration difference in your Tomcat 9 installation.
You mentioned starting and stopping services. I wondered if the change of default user from
"Local System" to "Local Service" had triggered this issue but that makes no
difference.
Looking at your log files in more detail, I do notice a few things:
-Djava.security.krb5.ini=...
The above system property is incorrect. It should be:
-Djava.security.krb5.conf=...
It won't impact your environment because it appears to be set to the default.
This affects both Tomcat 8 and Tomcat 9.
The conf\krb5.ini does not specify the keytab file. In the config files in the
Tomcat docs this looks like:
default_keytab_name = FILE:c:\apache-tomcat-9.0.x\conf\tomcat.keytab
The debug logs for the authentication processes look very different.
That strongly suggests that the configurations are not the same. I would
concentrated on comparing the configuration of the two systems.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
