Request: -------------------------------- GET / HTTP/1.1 Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== >>> The browser is trying to get a page, and it sends a Negotiate token (it's >>> short, so looks like NTLM). -------------------------------- Response: -------------------------------- HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate WWW-Authenticate: NTLM -------------------------------- This already says that the token sent was invalid. The next conversation is just a repeat of that. It's invalid because the browser is not in the domain or because the user logged in doesn't have access to the server. It's possible that the Windows event viewer on the server has an actual error in the Security event log. -------------------------------- I would create a dummy website in IIS that has the same authentication mode (Windows Auth, Anonymous disabled) and make sure I can browse successfully to that page, first.
Melinda, I think you should hire some external help to fix this problem for you. There're a lot of moving parts. Maybe someone on this list could offer you to resolve this problem for a consulting fee. dB. @ dblock.org Moscow|Geneva|Seattle|New York -----Original Message----- From: Savoy, Melinda [mailto:melindasa...@texashealth.org] Sent: Friday, June 04, 2010 8:36 AM To: 'Tomcat Users List' Subject: RE: How can I get the user value in the request forwarded to my Tomcat in my Java app? Thanks Andre. Appreciate the explanation. I downloaded Fiddler as you suggested, and meant to send this in the earlier post. In the RAW HEADER I get the following when I enter this URL in my IE browser: http://scmisdev GET / HTTP/1.1 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MS-RTC LM 8) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: scmisdev Authorization: Negotiate TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAAAADw== In the AUTH window I see the following: No Proxy-Authenticate Header is present. WWW-Authenticate Header is present: Negotiate WWW-Authenticate Header is present: NTLM In the RAW window I see the following: HTTP/1.1 401 Unauthorized Content-Length: 1656 Content-Type: text/html Server: Microsoft-IIS/6.0 WWW-Authenticate: Negotiate WWW-Authenticate: NTLM Date: Fri, 04 Jun 2010 12:30:03 GMT Proxy-Support: Session-Based-Authentication <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd";> <HTML><HEAD><TITLE>You are not authorized to view this page</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252"> <STYLE type="text/css"> BODY { font: 8pt/12pt verdana } H1 { font: 13pt/15pt verdana } H2 { font: 8pt/12pt verdana } A:link { color: red } A:visited { color: maroon } </STYLE> </HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD> <h1>You are not authorized to view this page</h1> You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept. <hr> <p>Please try the following:</p> <ul> <li>Contact the Web site administrator if you believe you should be able to view this directory or page.</li> <li>Click the <a href="javascript:location.reload()">Refresh</a> button to try again with different credentials.</li> </ul> <h2>HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration.<br>Internet Information Services (IIS)</h2> <hr> <p>Technical Information (for support personnel)</p> <ul> <li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180";>Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>401</b>.</li> <li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr), and search for topics titled <b>About Security</b>, <b>Authentication</b>, and <b>About Custom Error Messages</b>.</li> </ul> </TD></TR></TABLE></BODY></HTML> Do you see anything here? I was about to call the engineer on our network staff that might be able to help me but what to ask this last question before I did that. Thanks again for all your help!!! -----Original Message----- From: André Warnier [mailto:a...@ice-sa.com] Sent: Friday, June 04, 2010 7:26 AM To: Tomcat Users List Subject: Re: How can I get the user value in the request forwarded to my Tomcat in my Java app? Savoy, Melinda wrote: > 2 - questions (just because I'm not knowledgeable about IP address or TCP/IP > ports etc or networking functionality). > > 1. Before moving to IIS, the Tomcat server was setup on port 80 but because > IIS uses port 80 the Tomcat server in the server.xml was changed to 8080. > Could this be the problem on why I'm getting the HTTP Error 401.2 - > Unauthorized: Access is denied due to server configuration. Internet > Information Services (IIS)? Ok, let's still try to process this one little bit at a time. Your Tomcat /can/ receive requests on two different ports, each of these ports being indicated and configured by a <Connector> element in server.xml. You have : - one Connector listening on port 8080. That Connector expects requests formatted as per the HTTP protocol. - one connector listening on port 8009. That Connector expects requests formatted as per the AJP protocol (as used by the Apache mod_jk module, or the IIS isapi_redirector module. It does not matter through which Connector a particular request comes in. The Connector will receive the request, and "translate" it into a common internal Tomcat format before passing it on to the rest of Tomcat. In other words, if you send the request from the browser to http://hostname:8080/request_url or you send the request to IIS on port 80, like http://hostname[:80]/request_url and IIS passes it to the isapi-redirector, which passes it to the AJP connector of Tomcat on port 8009, the final result is essentially the same, except for some details, and Tomcat will process the request the saqme way in both cases. BUT, the request which provokes the error message which you are mentioning above does not seem to even reach Tomcat : it looks like the error is generated by IIS, before it even thinks about forwarding this request (maybe) to Tomcat. So there seems to be something wrong at the level between the browser and IIS, or in the IIS authentication/authorisation level. > > 2. Per Andre, " So now the isapi redirector module knows that in order to > reach this Tomcat and pass the browser request to it, it need to establish a > TCP/IP connection to localhost on port 8009, and format the request according > to the specicifications of the AJP/1.3 protocol. > This protocol is a bit different from HTTP, so the /format/ in which the > isapi redirector passes the request to the Tomcat server is different from > the original HTTP request, but the /content/ of the request is the same." > > If the network I'm on does NOT recognize this port 8009 would that be > contributing to the HTTP Error 401.2? No. It would give another error. > > Thanks. > > -----Original Message----- > From: André Warnier [mailto:a...@ice-sa.com] > Sent: Thursday, June 03, 2010 4:22 PM > To: Tomcat Users List > Subject: Re: How can I get the user value in the request forwarded to my > Tomcat in my Java app? > > Hi. > > Now we're cooking ! > But by the way, now this is also OT for this list, because your problem > now seems to be between the browser and the webserver. > > First, please do the following : using Google, find the the IE plugin > named "Fiddler 2" and install it in your IE browser. > That is a plugin which will allow you to view all the exchanges between > the browser and the server (headers, errors, contents etc..). > > Second, check in the IE options that it is really allowed to use > "Integrated Windows Authentication". That is somewhere in the long list > of extended options. > > If you receive a login dialog when you try to access a resource under > IIS, it is because either one of these conditions : > > - the IIS server requests the browser to authenticate using a specific > method (e.g. NTLM), but the browser is not set up to do this and is > trying a Basic authentication. > > - the version of NTLM required by the server and the one supported by > the workstation are not compatible > > - your workstation is not logged into the same domain as the server > > - your workstation does not recognise the server as a "trusted" server > > Basically, if Integrated Windows Authentication was working, you should > never see this login popup. It should all happen automatically behind > the scenes. > > > > > > Savoy, Melinda wrote: >> I think I was finally able to TEST that my tomcat connector and its >> respective config files have been setup correctly. >> >> I think I have narrowed my problem to an IIS Directory Security ISSUE on >> jakarta. If anyone has run into this issue can you please respond to the >> following problem: >> >> In IIS I have the Default Web Site setup with: >> >> ISAPI Filters: jakarta and it points to C:\Server\Tomcat >> 6.0\bin\isapi_redirect.dll >> And the Directory Security is: Enable anonymous access (checked only) >> >> In IIS I have the jakarta virtual directory setup with: >> >> Where the local path is: C:\Server\Tomcat 6.0\bin >> And the Directory Security is: Integrated Windows authentication (checked >> only) >> >> The result I get in my IE browser is: >> >> You are not authorized to view this page >> You do not have permission to view this directory or page using the >> credentials that you supplied because your Web browser is sending a >> WWW-Authenticate header field that the Web server is not configured to >> accept. >> -------------------------------------------------------------------------------- >> >> Please try the following: >> >> Contact the Web site administrator if you believe you should be able to view >> this directory or page. >> Click the Refresh button to try again with different credentials. >> HTTP Error 401.2 - Unauthorized: Access is denied due to server >> configuration. >> Internet Information Services (IIS) >> >> But when I change the jakarta Directory Security to the following I am able >> to get to the ERROR.jsp page in my application on Tomcat: >> >> Directory Security changed to Anonymous access (checked only) >> >> The ERROR.jsp page comes up because I do not have a USER value in the >> request. It is empty as depicted from the isapi log: >> >> [Thu Jun 03 15:27:24.665 2010] [948:3148] [debug] jk_isapi_plugin.c (3108): >> Service protocol=HTTP/1.1 method=GET host=167.99.60.10 addr=167.99.60.10 >> name=scmisdev port=80 auth= user= uri=/pics/plus.jpg >> >> Any suggestions or direction on how I can remedy this issue would be >> appreciated. >> >> Thank you. >> >> >> -----Original Message----- >> From: Savoy, Melinda >> Sent: Thursday, June 03, 2010 12:53 PM >> To: 'Tomcat Users List' >> Subject: RE: How can I get the user value in the request forwarded to my >> Tomcat in my Java app? >> >> Let me try to answer Andre's questions below as well as communicate the >> results I got given the settings I have in the Windows 2003 server and ANY >> HELP or DIRECTION would be GREATLY APPRECIATED : >> >> I spoke to the guy who had setup our Tomcat server and he said that the >> SECOND HOST in our server.xml file was there to define the virtual host that >> is in our enterprise DNS (see settings below). The baseapp="scmisapp" which >> is a directory in our tomcat server: C:\Server\Tomcat 6.0\scmisapp >> >> I removed the SECOND virtual directory as you instructed and now I'm getting >> Windows login dialog boxes when trying to go the URL: http://scmisdev. >> >> If we could start from the following settings and if someone could let me >> know what I'm doing wrong to get the error (see below) I'm getting it would >> be greatly appreciated: >> >> Workers.properties file: >> >> worker.scmisWorker.type=ajp13 >> worker.scmisWorker.host=localhost (I'm not sure if this should match the >> host name="scmis" in my server.xml file or not) >> worker.scmisWorker.port=8009 >> >> uriworkermap.properties file: >> >> /scmisdev/*=scmisWorker (this matches the virtual host that we have defined >> in the enterprise DNS and what we use to get to this server via the URL in >> our browsers (IE) http://scmisdev ). >> >> Server.xml: >> >> <Host name="localhost" appBase="webapps" >> unpackWARs="false" autoDeploy="false" >> xmlValidation="false" xmlNamespaceAware="false"> >> >> <!-- SingleSignOn valve, share authentication between web >> applications >> Documentation at: /docs/config/valve.html --> >> <!-- >> <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> >> --> >> >> <!-- Access log processes all example. >> Documentation at: /docs/config/valve.html --> >> <!-- >> <Valve className="org.apache.catalina.valves.AccessLogValve" >> directory="logs" >> prefix="localhost_access_log." suffix=".txt" pattern="common" >> resolveHosts="false"/> >> --> >> </Host> >> >> <Host name="scmis" appBase="scmisapp" >> unpackWARs="true" autoDeploy="false" >> xmlValidation="false" xmlNamespaceAware="false"> >> >> <Alias>scmisdev</Alias> >> <Alias>scmisdev.texashealth.org</Alias> >> </Host> >> >> In IIS I have the Default Web Site setup with: >> >> ISAPI Filters: jakarta and it points to C:\Server\Tomcat >> 6.0\bin\isapi_redirect.dll >> And the Directory Security is: Enable anonymous access (checked only) >> >> In IIS I have the jakarta virtual directory setup with: >> >> Where the local path is: C:\Server\Tomcat 6.0\bin >> And the Directory Security is: Integrated Windows authentication (checked >> only) >> >> The result I get in my IE browser is: >> >> You are not authorized to view this page >> You do not have permission to view this directory or page using the >> credentials that you supplied because your Web browser is sending a >> WWW-Authenticate header field that the Web server is not configured to >> accept. >> -------------------------------------------------------------------------------- >> >> Please try the following: >> >> Contact the Web site administrator if you believe you should be able to view >> this directory or page. >> Click the Refresh button to try again with different credentials. >> HTTP Error 401.2 - Unauthorized: Access is denied due to server >> configuration. >> Internet Information Services (IIS) >> >> -------------------------------------------------------------------------------- >> >> Technical Information (for support personnel) >> >> Go to Microsoft Product Support Services and perform a title search for the >> words HTTP and 401. >> Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for >> topics titled About Security, Authentication, and About Custom Error >> Messages. >> >> -----Original Message----- >> From: Savoy, Melinda >> Sent: Wednesday, June 02, 2010 5:12 PM >> To: Tomcat Users List; Tomcat Users List >> Subject: RE: How can I get the user value in the request forwarded to my >> Tomcat in my Java app? >> >> Andre, >> >> First my apologies for forgetting my earlier setup within my Windows XP box >> and therefore as you say not learning what I had done previously. >> >> Second - this Windows 2003 server was already setup and the second host was >> created in order that the user could enter a URL of http://scmisdev and then >> get to the application which is how it has been working. >> >> In your comment: >> >> "It seems that you have not learned a lot, or forgotten what you >> previously learned. >> >> Why do you need this last "virtual directory" in IIS ? >> The "jakarta" virtual directory will already re-direct (or rather >> "proxy") all the calls to "/scmisdev/*" to Tomcat. >> You do not want IIS to go directly put its nose in the Tomcat >> directories. You want it to go through the isapi redirector for that, >> which you already do with the jakarta virtual directory setup." >> >> What do I put in the uriworkermap.properties file that redirects to where >> the JSP's are? The directory path in Tomcat as to where the app is located >> is: >> >> C:\Server\Tomcat 6.0\scmisapp\ROOT\WEB-INF >> >> You are correct that I'm probably mixing up 2 things but I'm trying retain >> all the info that you and Ranier have each given but sometimes it would >> appear to me to be confusing. >> >> Lastly, let me state again my apologies. It is NOT my intent to waste the >> time of you or anyone else on this list just trying to get some help. >> >> I will try again in the morning. >> >> Regards. >> >> >> ________________________________________ >> From: André Warnier [...@ice-sa.com] >> Sent: Wednesday, June 02, 2010 16:29 >> To: Tomcat Users List >> Subject: Re: How can I get the user value in the request forwarded to my >> Tomcat in my Java app? >> >> Savoy, Melinda wrote: >>> I finally got my Windows 2003 development box setup with the Tomcat >>> Connector and IIS 6.0. The following is my setup: >>> >>> In the server.xml file I have the following in the HOST element: >>> >>> <!-- Define the default virtual host >>> Note: XML Schema validation will not work with Xerces 2.2. >>> --> >>> <Host name="localhost" appBase="webapps" >>> unpackWARs="false" autoDeploy="false" >>> xmlValidation="false" xmlNamespaceAware="false"> >>> >>> <!-- SingleSignOn valve, share authentication between web >>> applications >>> Documentation at: /docs/config/valve.html --> >>> <!-- >>> <Valve className="org.apache.catalina.authenticator.SingleSignOn" /> >>> --> >>> >>> <!-- Access log processes all example. >>> Documentation at: /docs/config/valve.html --> >>> <!-- >>> <Valve className="org.apache.catalina.valves.AccessLogValve" >>> directory="logs" >>> prefix="localhost_access_log." suffix=".txt" >>> pattern="common" resolveHosts="false"/> >>> --> >>> >>> </Host> >>> >>> <Host name="scmisdev" appBase="scmisapp" >>> unpackWARs="true" autoDeploy="false" >>> xmlValidation="false" xmlNamespaceAware="false"> >>> >>> <Alias>scmisdev</Alias> >> not necessary, since this is already the hostname >> >>> <Alias>scmisdev.texashealth.org</Alias> >>> </Host> >> Why this second Host anyway ? >> >>> In my uriworkermap.properties file: >>> >>> /scmisdev/*=scmisWorker >>> /scmisdev/*.jsp=scmisWorker >>> /scmisdev/servlet/*=scmisWorker >> the first one covers the other 2, so why have them ? >> >>> In my workers.properties file: >>> >>> # workers.properties from = >>> http://onjava.com/pub/a/onjava/2002/12/18/tomcat.html >>> # >>> # This file provides minimal jk configuration properties needed to >>> # connect to Tomcat. >>> # >>> # The workers that jk should create and work with >>> >>> worker.list=scmisWorker >>> >>> # >>> # Defining a worker named ajp13w and of type ajp13 >>> # Note that the name and the type do not have to match. >>> # >>> worker.scmisWorker.port=8009 >>> worker.scmisWorker.host=localhost >>> worker.scmisWorker.type=ajp13 >>> >>> In IIS I have the Default Web Site setup with: >>> >>> ISAPI Filters: jakarta and it points to C:\Server\Tomcat >>> 6.0\bin\isapi_redirect.dll >>> And the Directory Security is: Enable anonymous access (checked only) >>> >>> In IIS I have the jakarta virtual directory setup with: >>> >>> Where the local path is: C:\Server\Tomcat 6.0\bin >>> And the Directory Security is: Integrated Windows authentication (checked >>> only) >>> >>> In IIS I have the scmisdev virtual directory setup with: >>> >>> Where the local path is: C:\Server\Tomcat 6.0\scmisapp\ROOT\WEB-INF >>> (points to WEB-INF directory) >>> And the Directory Security is: Integrated Windows authentication (checked >>> only) >> It seems that you have not learned a lot, or forgotten what you >> previously learned. >> >> Why do you need this last "virtual directory" in IIS ? >> The "jakarta" virtual directory will already re-direct (or rather >> "proxy") all the calls to "/scmisdev/*" to Tomcat. >> You do not want IIS to go directly put its nose in the Tomcat >> directories. You want it to go through the isapi redirector for that, >> which you already do with the jakarta virtual directory setup. >> >>> However my result when going to URL http://localhost/scmisdev is: >>> >>> HTTP Status 404 - /scmisdev/ >>> >>> Type Status report >>> >>> Message /scmisdev/ >>> >>> Description The requested resource (/scmisdev/) is not available. >>> >>> Any suggestions or direction would be greatly appreciated. >> Ok, what does this error page look like ? Does it look like a Tomcat >> error page ? >> >> Melinda, it seems that you are mixing two issues (again) : >> - the first is in the basic setup of IIS+Tomcat, and how to set things >> up so that the URLs which you are interested in are actually redirected >> to Tomcat in the proper way. >> - the second is, once the first one is working properly, to set things >> up so that IIS authenticates users which request these URLs, and that >> the isapi redirector forwards this authentication to Tomcat (which it >> does, by default). >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> >> The information contained in this message and any attachments is intended >> only for the use of the individual or entity to which it is addressed, and >> may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from >> disclosure under applicable law. If you are not the intended recipient, you >> are prohibited from copying, distributing, or using the information. Please >> contact the sender immediately by return e-mail and delete the original >> message from your system. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> >> The information contained in this message and any attachments is intended >> only for the use of the individual or entity to which it is addressed, and >> may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from >> disclosure under applicable law. If you are not the intended recipient, you >> are prohibited from copying, distributing, or using the information. Please >> contact the sender immediately by return e-mail and delete the original >> message from your system. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> >> The information contained in this message and any attachments is intended >> only for the use of the individual or entity to which it is addressed, and >> may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from >> disclosure under applicable law. If you are not the intended recipient, you >> are prohibited from copying, distributing, or using the information. Please >> contact the sender immediately by return e-mail and delete the original >> message from your system. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> >> The information contained in this message and any attachments is intended >> only for the use of the individual or entity to which it is addressed, and >> may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from >> disclosure under applicable law. If you are not the intended recipient, you >> are prohibited from copying, distributing, or using the information. Please >> contact the sender immediately by return e-mail and delete the original >> message from your system. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > The information contained in this message and any attachments is intended > only for the use of the individual or entity to which it is addressed, and > may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from > disclosure under applicable law. If you are not the intended recipient, you > are prohibited from copying, distributing, or using the information. Please > contact the sender immediately by return e-mail and delete the original > message from your system. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org The information contained in this message and any attachments is intended only for the use of the individual or entity to which it is addressed, and may contain information that is PRIVILEGED, CONFIDENTIAL, and exempt from disclosure under applicable law. If you are not the intended recipient, you are prohibited from copying, distributing, or using the information. Please contact the sender immediately by return e-mail and delete the original message from your system. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
