Re: Single Sign-On problems (SSO not the cause)
Carlton Whitmore wrote: I just verified that the issue is not with SSO. I tested this by accessing the URL until I got "Page cannot be displayed" then I tried accessing https://myserver.advocacyinc.org:8443 and got the same thing. We're not doing any redirects from IIS. Could JCifs be tying up the system? Any ideas? With respect, I think that you are getting quite a few things mixed up. There are threee different things altogether : - User Authentication, here achieved (or not) at the Tomcat level by the jCIFS NtlmHttp filter. - SSO, meaning Single-Sign-On, which means that the user needs to authenticate to the application (or system) only once, and can subsequently call one or more applications without having to login again. Here, SSO is achieved indirectly by the jCIFS authentication, but that is only because this kind of authentication is implicitly carried over to the entire browser/server connection. - and then there is SSL, which is implicated when you use the HTTPS protocol (which is really a HTTP conversation, but carried over an encrypted SSL link). That implies that the data circulating between the browser and the server (and vice-versa) is encrypted. But in this case it has nothing to do with Authentication or SSO. The 3 above things do "exist" in your case, but they do not really have much to do with one another. And what you tried above does not "prove" anything. Considering what you have told us so far, I believe that IIS has nothing to do with the problem, and neither does SSL/HTTPS. I believe that your problem is at the jCIFS/NTLM Authentication level, but at this point this is more a hunch than a certainty. To your question "Could JCifs be tying up the system?", my answer would be "yes, it could, very easily". And the entire thing seems quite off-topic for this Tomcat users list (because the problem does not seem at this point to be linked to any Tomcat code, but more to the authentication side, which is code coming from somwhere else). Unfortunately, I don't really know where to send you, because the jCIFS HTTP filter is no longer developed nor supported, and has not been for quite a few years. I believe that the people which you should first contact on this are the vendor of your application, since after all your setup is their recommendation. Maybe you should point out to them that they are recommending a solution which is by now outdated and no longer technically working; and ask them for an alternative recommendation. Additional info : Jespa (see www.ioplex.com) is the closest relative to the jCIFS filter. It is also a servlet filter, which works (from the Tomcat point of view) much like the jCIFS filter. You can download and test it for free. But setting it up is not necessarily easy if you do not have some background knowledge of how NTLM authentication works in the first place. I not tried Waffle myself. But Melinda who has, seems to have gotten her system to work with it in .. a short time, after spending many hours trying to do NTLM authentication in other ways. From what I checked just now at waffle.codeplex.com, they even propose a servlet filter, which should make it all the easier for you to replace jCIFS. From what I know (first-hand for Jespa, hearsay for Waffle) both will work will all versions of NTLM and all kinds of Windows workstations (including XP, Vista and W7). Otherwise, try what I mentioned before : increase the log level of the jCIFS filter, and look in its logfile what it has to say about the failed authentications. But this exercise may turn out to be quite pointless, as you should no longer be using this filter anyway. Even if you fix your current issue, new ones are bound to appear as your workstations or servers get updated. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Single Sign-On problems
Pid, I can't seem to open any of your emails. Outlook (with Entrust) says that they are encrypted but with invalid mime. From: Pid [mailto:p...@pidster.com] Sent: Monday, August 16, 2010 12:54 PM To: Tomcat Users List Subject: Re: Single Sign-On problems
Re: Single Sign-On problems
Carlton Whitmore wrote: Andre, The only reason I think it's Tomcat because when we change the Tomcat version it seems to affect the speed of the application (Tomcat 7 runs very slow, but no SSO errors; Tomcat 6 runs fast, but SSO errors). We're using Active Directory to authenticate. I guess it could be SSL as well. I've change the domain controller, but that didn't affect the issue. Here is the code we changed in the conf\web.xml file: index.html index.htm index.jsp NtlmHttpFilter jcifs.http.NtlmHttpFilter jcifs.http.domainController 192.168.100.6 jcifs.smb.client.domain advocacyinc jcifs.smb.client.username SQL_LegalFiles jcifs.smb.client.password >password jcifs.smb.lmCompatibility 3 NtlmHttpFilter /* 1) you do know that this NtlmHttpFilter is no longer developed or supported, and that it will never support NTLM v2 (as is standard with Windows Vista, 7 and later), right ? You should be thinking about switching to Jespa or Waffle. 2) anyway, the jCIFS filter can do quite extensive logs of what it does (see jcifs.util.loglevel). You could try using that and check what it is telling you about the failures. 3) when you mention "SSO failures", what do you mean exactly ? the browser popping up a builtin authentication dialog ? or something else ? And is the above your standard operational configuration, or a simplified one you are just using for this test ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Single Sign-On problems
> From: Carlton Whitmore [mailto:cwhitm...@advocacyinc.org] > Subject: RE: Single Sign-On problems > > The server is running as a VM on Hyper-V R2. I've checked the CPU and > disk access during these times and everything looks fine. We're using > internal DNS servers so I don't think lookup resoltuion is an issue. What's the guest OS? If it's Linux (probably not, if you're using Hyper V), then you might see delays while /dev/random gathers entropy. Time to take some thread dumps and see what's going on. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Single Sign-On problems
Charles, The server is running as a VM on Hyper-V R2. I've checked the CPU and disk access during these times and everything looks fine. We're using internal DNS servers so I don't think lookup resoltuion is an issue. Carlton Whitmore Systems Analyst Advocacy, Inc. http://www.advocacyinc.org <http://www.advocacyinc.org/> Advocacy, Inc. is a non-profit agency advocating for, protect and advance the legal, human and service rights of people with disabilities. If you would like to help our cause please choose the donate link on our website. From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Sun 8/15/2010 9:07 PM To: Tomcat Users List Subject: RE: Single Sign-On problems > From: Carlton Whitmore [mailto:cwhitm...@advocacyinc.org] > Subject: RE: Single Sign-On problems > > Tomcat 7 runs very slow, but no SSO errors; Tomcat 6 runs > fast, but SSO errors Have you looked to see what's going on during the slowdown? Is there high CPU usage, or perhaps swapping? Is there a possibility that under Tomcat 7, DNS lookups are occurring (reverse or normal) that weren't going on with Tomcat 6? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Single Sign-On problems
> From: Carlton Whitmore [mailto:cwhitm...@advocacyinc.org] > Subject: RE: Single Sign-On problems > > Tomcat 7 runs very slow, but no SSO errors; Tomcat 6 runs > fast, but SSO errors Have you looked to see what's going on during the slowdown? Is there high CPU usage, or perhaps swapping? Is there a possibility that under Tomcat 7, DNS lookups are occurring (reverse or normal) that weren't going on with Tomcat 6? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Single Sign-On problems
Andre, The only reason I think it's Tomcat because when we change the Tomcat version it seems to affect the speed of the application (Tomcat 7 runs very slow, but no SSO errors; Tomcat 6 runs fast, but SSO errors). We're using Active Directory to authenticate. I guess it could be SSL as well. I've change the domain controller, but that didn't affect the issue. Here is the code we changed in the conf\web.xml file: index.html index.htm index.jsp NtlmHttpFilter jcifs.http.NtlmHttpFilter jcifs.http.domainController 192.168.100.6 jcifs.smb.client.domain advocacyinc jcifs.smb.client.username SQL_LegalFiles jcifs.smb.client.password >password jcifs.smb.lmCompatibility 3 NtlmHttpFilter /* Carlton Whitmore Systems Analyst Advocacy, Inc. http://www.advocacyinc.org <https://exchange2003.advocacyinc.org/exchweb/bin/redir.asp?URL=http://www.advocacyinc.org/> From: André Warnier [mailto:a...@ice-sa.com] Sent: Sun 8/15/2010 11:45 AM To: Tomcat Users List Subject: Re: Single Sign-On problems Carlton Whitmore wrote: > We're running Windows 2008 R2, Tomcat 6, MS SQL 2005, JDK 6 update 20 > and authenticating using AD from Windows 2003 R2 server. > > > > The application we're using causes intermittent single sign-on errrors. > We tried to upgrade to Tomcat 7 and the SSO errors went away, but the > system was so slow it was unusable. Sometimes we get 8 SSO errors before > we're able to use the system, but when it works it's very fast. > Would you mind specifying which SSO mechanism you are using where, and why you believe that the problem is related to Tomcat ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Single Sign-On problems
On 15/08/2010 17:45, André Warnier wrote: > Carlton Whitmore wrote: >> We're running Windows 2008 R2, Tomcat 6, MS SQL 2005, JDK 6 update 20 >> and authenticating using AD from Windows 2003 R2 server. >> >> >> >> The application we're using causes intermittent single sign-on errrors. >> We tried to upgrade to Tomcat 7 and the SSO errors went away, but the >> system was so slow it was unusable. Sometimes we get 8 SSO errors before >> we're able to use the system, but when it works it's very fast. >> > Would you mind specifying which SSO mechanism you are using where, and > why you believe that the problem is related to Tomcat ? ... and how it can be fast and slow at the same time. p > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > signature.asc Description: OpenPGP digital signature
Re: Single Sign-On problems
Carlton Whitmore wrote: We're running Windows 2008 R2, Tomcat 6, MS SQL 2005, JDK 6 update 20 and authenticating using AD from Windows 2003 R2 server. The application we're using causes intermittent single sign-on errrors. We tried to upgrade to Tomcat 7 and the SSO errors went away, but the system was so slow it was unusable. Sometimes we get 8 SSO errors before we're able to use the system, but when it works it's very fast. Would you mind specifying which SSO mechanism you are using where, and why you believe that the problem is related to Tomcat ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
