Hi Matthias, Please read this discussion: https://lists.apache.org/thread.html/r9f3a2ea48f2e76f7c092ea2dc4caec7d15c86f7773281ef6c8cdb817%40%3Cusers.tomcat.apache.org%3E <https://markmail.org/message/kmx6krqtduqma7jj> The problem and a workaround are explained here: https://lists.apache.org/thread.html/r3720861ca584c0b6794cb8bfffafa18fa67b514f3df47ce7ea5329ef%40%3Cusers.tomcat.apache.org%3E
Regards, Martin On Wed, Mar 4, 2020 at 9:20 AM Matthias Fechner <ide...@fechner.net> wrote: > Dear all, > > as tomcat version 9.0.31 has some security fixes included I tried to do > an upgrade. > On the IIS tomcat connector version 1.2.46 is installed. > > As secret I use a 32 character long alpha numeric string, I name it here > token. > In the workers.properties I tried to define it on the load balancer > line: > worker.loadbalancer.secret=token > > And/or on each node: > worker.node1.secret=token > ... > worker.node2.secret=token > > For the tomcat configuration I defined in server.xml the following AJP > connector: > <Connector protocol="AJP/1.3" > address="::" > port="8009" > tomcatAuthentication="false" > enableLookups="false" > secret="token" > redirectPort="8443" /> > > But it does not work. It seems that tomcat does not answer here. > If I downgrade to tomcat 9.0.29 it works without any problems. > > I started then wireshark and had a look into the traffic coming from the > IIS. > From IIS is see a AJP13 connection with the following content in "Apache > JServ Protocol v1.3" part in wireshark: > ... > Sec-Fetch-User: ?1 > token > INTERNAL\user > Negotiate > ... > > as the token is here included the secret configuration is maybe correct. > The token is here equal to the token define on IIS-tomcat-connector and > the tomcat server.xml AJP definition. > Tomcat is sending back a "0:RSP:SEND HEADERS:403 403" > > The IIS is doing authentication is is then just sending the user to > tomcat. > > Regarding the documentation everything seems to be configured correctly, > but it does not work. > Could anyone help me here, please? > > -- > Thanks a lot > Matthias > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >