Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder
Hi Mark, Today I finally managed to solve the problem. The problem was due to the fact that Windows Authentication was enabled only at the level of the "s2wweb" virtual folder and not at the level of the "Jackarta Connector" virtual folder (at the same level as "s2wweb"). Thanks for the support and sorry for the mistake. Paolo Il giorno lun 19 lug 2021 alle ore 11:21 Mark Thomas ha scritto: > > On 13/07/2021 16:35, Paolo Clerici wrote: > >> I don't see any ISAPI redirector set up there. I was expecting to see > >> something like the steps described here: > >> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html > > Yes, if I have not missed something, I think I have done everything > > that is written in the document. > > The only differences are that there are two sites "prod" and "test" so > > the only differences for "test" are: > > 1) Dll folder: C:\Apache Software Foundation\Jakarta Isapi > > Redirector\test\bin > > 2) ISAPI filter name: "Jakarta Connector test" (not "tomcat") > > > > isapi_redirect.properties file content: > > extension_uri=/jakarta/isapi_redirect.dll > > log_file=C:\Apache Software Foundation\Jakarta Isapi > > Redirector\test\log\mod_jk.log > > log_level=warn > > worker_file=C:\Apache Software Foundation\Jakarta Isapi > > Redirector\test\conf\workers.properties > > worker_mount_file=C:\Apache Software Foundation\Jakarta Isapi > > Redirector\test\conf\uriworkermap.properties > > > > workers.properties file content: > > worker.list=dgroupnex02,dgroupnex01 > > worker.dgroupnex02.type=ajp13 > > worker.dgroupnex02.host=10.1.2.93 > > worker.dgroupnex02.port=8009 > > worker.dgroupnex01.type=ajp13 > > worker.dgroupnex01.host=10.1.2.39 > > worker.dgroupnex01.port=8009 > > > > uriworkermap.properties file content: > > /S2W/*=dgroupnex02 > > /s2wweb/*=dgroupnex01 > > /websat/*=dgroupnex02 > > > > I would like to tell you that ISAPI redirection of all virtual folders > > works perfectly. The only thing that doesn't work is sending the > > authorization type and user from IIS to Tomcat. > > The only application that needs this functionality is "s2wweb". > > How did you create the s2wweb virtual directory? Please provide exact > steps. Was is created under the test site or under the jakarta virtual > directory? > > To be honest, I am far from convinced that I have recreated your > configuration. Receiving the configuration bit by bit and ambiguities in > the information received (is the test site configured for anon > authentication, windows authentication or both?) makes me thing at least > one key bit of information is missing. > > Can you provide the complete set of steps required to configure a clean > IIS 10 install to recreate this issue? > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder
On 19/07/2021 10:20, Mark Thomas wrote: On 13/07/2021 16:35, Paolo Clerici wrote: I don't see any ISAPI redirector set up there. I was expecting to see something like the steps described here: http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html Yes, if I have not missed something, I think I have done everything that is written in the document. The only differences are that there are two sites "prod" and "test" so the only differences for "test" are: 1) Dll folder: C:\Apache Software Foundation\Jakarta Isapi Redirector\test\bin 2) ISAPI filter name: "Jakarta Connector test" (not "tomcat") isapi_redirect.properties file content: extension_uri=/jakarta/isapi_redirect.dll log_file=C:\Apache Software Foundation\Jakarta Isapi Redirector\test\log\mod_jk.log log_level=warn worker_file=C:\Apache Software Foundation\Jakarta Isapi Redirector\test\conf\workers.properties worker_mount_file=C:\Apache Software Foundation\Jakarta Isapi Redirector\test\conf\uriworkermap.properties workers.properties file content: worker.list=dgroupnex02,dgroupnex01 worker.dgroupnex02.type=ajp13 worker.dgroupnex02.host=10.1.2.93 worker.dgroupnex02.port=8009 worker.dgroupnex01.type=ajp13 worker.dgroupnex01.host=10.1.2.39 worker.dgroupnex01.port=8009 uriworkermap.properties file content: /S2W/*=dgroupnex02 /s2wweb/*=dgroupnex01 /websat/*=dgroupnex02 I would like to tell you that ISAPI redirection of all virtual folders works perfectly. The only thing that doesn't work is sending the authorization type and user from IIS to Tomcat. The only application that needs this functionality is "s2wweb". How did you create the s2wweb virtual directory? Please provide exact steps. Was is created under the test site or under the jakarta virtual directory? To be honest, I am far from convinced that I have recreated your configuration. Receiving the configuration bit by bit and ambiguities in the information received (is the test site configured for anon authentication, windows authentication or both?) makes me thing at least one key bit of information is missing. Can you provide the complete set of steps required to configure a clean IIS 10 install to recreate this issue? I have also been trying to recreate your IIS 6.1 setup without success. Which versions are you using for: - operating system - ISAPI connector - Tomcat ? And, similarly to above, what are the steps to recreate your test setup from a clean IIS install? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder
On 13/07/2021 16:35, Paolo Clerici wrote: I don't see any ISAPI redirector set up there. I was expecting to see something like the steps described here: http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html Yes, if I have not missed something, I think I have done everything that is written in the document. The only differences are that there are two sites "prod" and "test" so the only differences for "test" are: 1) Dll folder: C:\Apache Software Foundation\Jakarta Isapi Redirector\test\bin 2) ISAPI filter name: "Jakarta Connector test" (not "tomcat") isapi_redirect.properties file content: extension_uri=/jakarta/isapi_redirect.dll log_file=C:\Apache Software Foundation\Jakarta Isapi Redirector\test\log\mod_jk.log log_level=warn worker_file=C:\Apache Software Foundation\Jakarta Isapi Redirector\test\conf\workers.properties worker_mount_file=C:\Apache Software Foundation\Jakarta Isapi Redirector\test\conf\uriworkermap.properties workers.properties file content: worker.list=dgroupnex02,dgroupnex01 worker.dgroupnex02.type=ajp13 worker.dgroupnex02.host=10.1.2.93 worker.dgroupnex02.port=8009 worker.dgroupnex01.type=ajp13 worker.dgroupnex01.host=10.1.2.39 worker.dgroupnex01.port=8009 uriworkermap.properties file content: /S2W/*=dgroupnex02 /s2wweb/*=dgroupnex01 /websat/*=dgroupnex02 I would like to tell you that ISAPI redirection of all virtual folders works perfectly. The only thing that doesn't work is sending the authorization type and user from IIS to Tomcat. The only application that needs this functionality is "s2wweb". How did you create the s2wweb virtual directory? Please provide exact steps. Was is created under the test site or under the jakarta virtual directory? To be honest, I am far from convinced that I have recreated your configuration. Receiving the configuration bit by bit and ambiguities in the information received (is the test site configured for anon authentication, windows authentication or both?) makes me thing at least one key bit of information is missing. Can you provide the complete set of steps required to configure a clean IIS 10 install to recreate this issue? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder
> Sorry, I haven't read the whole thread, but a basic question : > In the tomcat AJP Connector configuration, is "tomcatAuthentication" set to > "no" ? tomcatAuthentication is disabled (see configuration below) The same Tomcat instance with an IIS 6.1 as a reverse proxy works fine. Thanks, Paolo Il giorno gio 15 lug 2021 alle ore 15:29 André Warnier (tomcat/perl) ha scritto: > > Sorry, I haven't read the whole thread, but a basic question : > In the tomcat AJP Connector configuration, is "tomcatAuthentication" set to > "no" ? > https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Common_Attributes > > On 13.07.2021 17:35, Paolo Clerici wrote: > >> I don't see any ISAPI redirector set up there. I was expecting to see > >> something like the steps described here: > >> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html > > Yes, if I have not missed something, I think I have done everything > > that is written in the document. > > The only differences are that there are two sites "prod" and "test" so > > the only differences for "test" are: > > 1) Dll folder: C:\Apache Software Foundation\Jakarta Isapi > > Redirector\test\bin > > 2) ISAPI filter name: "Jakarta Connector test" (not "tomcat") > > > > isapi_redirect.properties file content: > > extension_uri=/jakarta/isapi_redirect.dll > > log_file=C:\Apache Software Foundation\Jakarta Isapi > > Redirector\test\log\mod_jk.log > > log_level=warn > > worker_file=C:\Apache Software Foundation\Jakarta Isapi > > Redirector\test\conf\workers.properties > > worker_mount_file=C:\Apache Software Foundation\Jakarta Isapi > > Redirector\test\conf\uriworkermap.properties > > > > workers.properties file content: > > worker.list=dgroupnex02,dgroupnex01 > > worker.dgroupnex02.type=ajp13 > > worker.dgroupnex02.host=10.1.2.93 > > worker.dgroupnex02.port=8009 > > worker.dgroupnex01.type=ajp13 > > worker.dgroupnex01.host=10.1.2.39 > > worker.dgroupnex01.port=8009 > > > > uriworkermap.properties file content: > > /S2W/*=dgroupnex02 > > /s2wweb/*=dgroupnex01 > > /websat/*=dgroupnex02 > > > > I would like to tell you that ISAPI redirection of all virtual folders > > works perfectly. The only thing that doesn't work is sending the > > authorization type and user from IIS to Tomcat. > > The only application that needs this functionality is "s2wweb". > > > > Thanks, > > Paolo > > > > > > > > > > > > > > > > > > > > Il giorno mar 13 lug 2021 alle ore 14:44 Mark Thomas > > ha scritto: > >> > >> On 13/07/2021 12:29, Paolo Clerici wrote: > >>> Hi Mark, > >>> > How did you set up the s2wweb virtual directory? > >>> Physical Path: C:\Apache Software Foundation\virtual\test\s2wweb > >>> Physical Path Credential: blank > >>> Physical Path Credential Logon Type: Clear Text > >>> Virtual Path: /s2wweb > >>> Pass-through authentication: / Connect As: / Path credentials: > >>> Application user (pass-through authentication) > >> > >> I don't see any ISAPI redirector set up there. I was expecting to see > >> something like the steps described here: > >> > >> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html > >> > >> Mark > >> > >> > >>> > >>> Thanks, > >>> Paolo > >>> Il giorno mar 13 lug 2021 alle ore 10:27 Mark Thomas > >>> ha scritto: > > On 13/07/2021 08:49, Paolo Clerici wrote: > > Hi Mark, > > > >> Are you connecting from a machine that isn't part of the Windows AD? > > I have tried both from PCs connected to AD and from PCs not connected > > to AD. > > > >> Normally, I'd expect authentication to work without any password > >> prompt. > > If I connect from PC AD I am not asked for credentials (correct). If I > > connect from a non-AD PC I am prompted for credentials (correctly). > > The credential check is done correctly by IIS. > > > >> Are any other authentication mechanisms enabled? > > For virtual directory "s2wweb" only "Windows Authentication" is > > enabled ("Anonymous Authentication" is disabled). For site "test" is > > enabled "Anonymous Authentication". > > > >> Are your two test machines (working and not working) connecting to the > >> same Tomcat instance (and on the same port)? > > Yes. > > Current IIS server needs to be migrated to a new IIS server. The > > current server (Windows Server 2008 R2 with IIS 6.1) is connected to > > the same Tomcat server (another Windows Server 2008 R2 with Tomcat > > 7.0) on the same port (8009). > > Again, testing a similar setup locally works as expected. The > authenticated Windows user name is passed to Tomcat. > > How did you set up the s2wweb virtual directory? > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > >>> > >>> -
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder
Sorry, I haven't read the whole thread, but a basic question : In the tomcat AJP Connector configuration, is "tomcatAuthentication" set to "no" ? https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Common_Attributes On 13.07.2021 17:35, Paolo Clerici wrote: I don't see any ISAPI redirector set up there. I was expecting to see something like the steps described here: http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html Yes, if I have not missed something, I think I have done everything that is written in the document. The only differences are that there are two sites "prod" and "test" so the only differences for "test" are: 1) Dll folder: C:\Apache Software Foundation\Jakarta Isapi Redirector\test\bin 2) ISAPI filter name: "Jakarta Connector test" (not "tomcat") isapi_redirect.properties file content: extension_uri=/jakarta/isapi_redirect.dll log_file=C:\Apache Software Foundation\Jakarta Isapi Redirector\test\log\mod_jk.log log_level=warn worker_file=C:\Apache Software Foundation\Jakarta Isapi Redirector\test\conf\workers.properties worker_mount_file=C:\Apache Software Foundation\Jakarta Isapi Redirector\test\conf\uriworkermap.properties workers.properties file content: worker.list=dgroupnex02,dgroupnex01 worker.dgroupnex02.type=ajp13 worker.dgroupnex02.host=10.1.2.93 worker.dgroupnex02.port=8009 worker.dgroupnex01.type=ajp13 worker.dgroupnex01.host=10.1.2.39 worker.dgroupnex01.port=8009 uriworkermap.properties file content: /S2W/*=dgroupnex02 /s2wweb/*=dgroupnex01 /websat/*=dgroupnex02 I would like to tell you that ISAPI redirection of all virtual folders works perfectly. The only thing that doesn't work is sending the authorization type and user from IIS to Tomcat. The only application that needs this functionality is "s2wweb". Thanks, Paolo Il giorno mar 13 lug 2021 alle ore 14:44 Mark Thomas ha scritto: On 13/07/2021 12:29, Paolo Clerici wrote: Hi Mark, How did you set up the s2wweb virtual directory? Physical Path: C:\Apache Software Foundation\virtual\test\s2wweb Physical Path Credential: blank Physical Path Credential Logon Type: Clear Text Virtual Path: /s2wweb Pass-through authentication: / Connect As: / Path credentials: Application user (pass-through authentication) I don't see any ISAPI redirector set up there. I was expecting to see something like the steps described here: http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html Mark Thanks, Paolo Il giorno mar 13 lug 2021 alle ore 10:27 Mark Thomas ha scritto: On 13/07/2021 08:49, Paolo Clerici wrote: Hi Mark, Are you connecting from a machine that isn't part of the Windows AD? I have tried both from PCs connected to AD and from PCs not connected to AD. Normally, I'd expect authentication to work without any password prompt. If I connect from PC AD I am not asked for credentials (correct). If I connect from a non-AD PC I am prompted for credentials (correctly). The credential check is done correctly by IIS. Are any other authentication mechanisms enabled? For virtual directory "s2wweb" only "Windows Authentication" is enabled ("Anonymous Authentication" is disabled). For site "test" is enabled "Anonymous Authentication". Are your two test machines (working and not working) connecting to the same Tomcat instance (and on the same port)? Yes. Current IIS server needs to be migrated to a new IIS server. The current server (Windows Server 2008 R2 with IIS 6.1) is connected to the same Tomcat server (another Windows Server 2008 R2 with Tomcat 7.0) on the same port (8009). Again, testing a similar setup locally works as expected. The authenticated Windows user name is passed to Tomcat. How did you set up the s2wweb virtual directory? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder
> I don't see any ISAPI redirector set up there. I was expecting to see > something like the steps described here: > http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html Yes, if I have not missed something, I think I have done everything that is written in the document. The only differences are that there are two sites "prod" and "test" so the only differences for "test" are: 1) Dll folder: C:\Apache Software Foundation\Jakarta Isapi Redirector\test\bin 2) ISAPI filter name: "Jakarta Connector test" (not "tomcat") isapi_redirect.properties file content: extension_uri=/jakarta/isapi_redirect.dll log_file=C:\Apache Software Foundation\Jakarta Isapi Redirector\test\log\mod_jk.log log_level=warn worker_file=C:\Apache Software Foundation\Jakarta Isapi Redirector\test\conf\workers.properties worker_mount_file=C:\Apache Software Foundation\Jakarta Isapi Redirector\test\conf\uriworkermap.properties workers.properties file content: worker.list=dgroupnex02,dgroupnex01 worker.dgroupnex02.type=ajp13 worker.dgroupnex02.host=10.1.2.93 worker.dgroupnex02.port=8009 worker.dgroupnex01.type=ajp13 worker.dgroupnex01.host=10.1.2.39 worker.dgroupnex01.port=8009 uriworkermap.properties file content: /S2W/*=dgroupnex02 /s2wweb/*=dgroupnex01 /websat/*=dgroupnex02 I would like to tell you that ISAPI redirection of all virtual folders works perfectly. The only thing that doesn't work is sending the authorization type and user from IIS to Tomcat. The only application that needs this functionality is "s2wweb". Thanks, Paolo Il giorno mar 13 lug 2021 alle ore 14:44 Mark Thomas ha scritto: > > On 13/07/2021 12:29, Paolo Clerici wrote: > > Hi Mark, > > > >> How did you set up the s2wweb virtual directory? > > Physical Path: C:\Apache Software Foundation\virtual\test\s2wweb > > Physical Path Credential: blank > > Physical Path Credential Logon Type: Clear Text > > Virtual Path: /s2wweb > > Pass-through authentication: / Connect As: / Path credentials: > > Application user (pass-through authentication) > > I don't see any ISAPI redirector set up there. I was expecting to see > something like the steps described here: > > http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html > > Mark > > > > > > Thanks, > > Paolo > > Il giorno mar 13 lug 2021 alle ore 10:27 Mark Thomas > > ha scritto: > >> > >> On 13/07/2021 08:49, Paolo Clerici wrote: > >>> Hi Mark, > >>> > Are you connecting from a machine that isn't part of the Windows AD? > >>> I have tried both from PCs connected to AD and from PCs not connected to > >>> AD. > >>> > Normally, I'd expect authentication to work without any password prompt. > >>> If I connect from PC AD I am not asked for credentials (correct). If I > >>> connect from a non-AD PC I am prompted for credentials (correctly). > >>> The credential check is done correctly by IIS. > >>> > Are any other authentication mechanisms enabled? > >>> For virtual directory "s2wweb" only "Windows Authentication" is > >>> enabled ("Anonymous Authentication" is disabled). For site "test" is > >>> enabled "Anonymous Authentication". > >>> > Are your two test machines (working and not working) connecting to the > same Tomcat instance (and on the same port)? > >>> Yes. > >>> Current IIS server needs to be migrated to a new IIS server. The > >>> current server (Windows Server 2008 R2 with IIS 6.1) is connected to > >>> the same Tomcat server (another Windows Server 2008 R2 with Tomcat > >>> 7.0) on the same port (8009). > >> > >> Again, testing a similar setup locally works as expected. The > >> authenticated Windows user name is passed to Tomcat. > >> > >> How did you set up the s2wweb virtual directory? > >> > >> Mark > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder
On 13/07/2021 12:29, Paolo Clerici wrote: Hi Mark, How did you set up the s2wweb virtual directory? Physical Path: C:\Apache Software Foundation\virtual\test\s2wweb Physical Path Credential: blank Physical Path Credential Logon Type: Clear Text Virtual Path: /s2wweb Pass-through authentication: / Connect As: / Path credentials: Application user (pass-through authentication) I don't see any ISAPI redirector set up there. I was expecting to see something like the steps described here: http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html Mark Thanks, Paolo Il giorno mar 13 lug 2021 alle ore 10:27 Mark Thomas ha scritto: On 13/07/2021 08:49, Paolo Clerici wrote: Hi Mark, Are you connecting from a machine that isn't part of the Windows AD? I have tried both from PCs connected to AD and from PCs not connected to AD. Normally, I'd expect authentication to work without any password prompt. If I connect from PC AD I am not asked for credentials (correct). If I connect from a non-AD PC I am prompted for credentials (correctly). The credential check is done correctly by IIS. Are any other authentication mechanisms enabled? For virtual directory "s2wweb" only "Windows Authentication" is enabled ("Anonymous Authentication" is disabled). For site "test" is enabled "Anonymous Authentication". Are your two test machines (working and not working) connecting to the same Tomcat instance (and on the same port)? Yes. Current IIS server needs to be migrated to a new IIS server. The current server (Windows Server 2008 R2 with IIS 6.1) is connected to the same Tomcat server (another Windows Server 2008 R2 with Tomcat 7.0) on the same port (8009). Again, testing a similar setup locally works as expected. The authenticated Windows user name is passed to Tomcat. How did you set up the s2wweb virtual directory? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder
Hi Mark, > How did you set up the s2wweb virtual directory? Physical Path: C:\Apache Software Foundation\virtual\test\s2wweb Physical Path Credential: blank Physical Path Credential Logon Type: Clear Text Virtual Path: /s2wweb Pass-through authentication: / Connect As: / Path credentials: Application user (pass-through authentication) Thanks, Paolo Il giorno mar 13 lug 2021 alle ore 10:27 Mark Thomas ha scritto: > > On 13/07/2021 08:49, Paolo Clerici wrote: > > Hi Mark, > > > >> Are you connecting from a machine that isn't part of the Windows AD? > > I have tried both from PCs connected to AD and from PCs not connected to AD. > > > >> Normally, I'd expect authentication to work without any password prompt. > > If I connect from PC AD I am not asked for credentials (correct). If I > > connect from a non-AD PC I am prompted for credentials (correctly). > > The credential check is done correctly by IIS. > > > >> Are any other authentication mechanisms enabled? > > For virtual directory "s2wweb" only "Windows Authentication" is > > enabled ("Anonymous Authentication" is disabled). For site "test" is > > enabled "Anonymous Authentication". > > > >> Are your two test machines (working and not working) connecting to the > >> same Tomcat instance (and on the same port)? > > Yes. > > Current IIS server needs to be migrated to a new IIS server. The > > current server (Windows Server 2008 R2 with IIS 6.1) is connected to > > the same Tomcat server (another Windows Server 2008 R2 with Tomcat > > 7.0) on the same port (8009). > > Again, testing a similar setup locally works as expected. The > authenticated Windows user name is passed to Tomcat. > > How did you set up the s2wweb virtual directory? > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder
On 13/07/2021 08:49, Paolo Clerici wrote: Hi Mark, Are you connecting from a machine that isn't part of the Windows AD? I have tried both from PCs connected to AD and from PCs not connected to AD. Normally, I'd expect authentication to work without any password prompt. If I connect from PC AD I am not asked for credentials (correct). If I connect from a non-AD PC I am prompted for credentials (correctly). The credential check is done correctly by IIS. Are any other authentication mechanisms enabled? For virtual directory "s2wweb" only "Windows Authentication" is enabled ("Anonymous Authentication" is disabled). For site "test" is enabled "Anonymous Authentication". Are your two test machines (working and not working) connecting to the same Tomcat instance (and on the same port)? Yes. Current IIS server needs to be migrated to a new IIS server. The current server (Windows Server 2008 R2 with IIS 6.1) is connected to the same Tomcat server (another Windows Server 2008 R2 with Tomcat 7.0) on the same port (8009). Again, testing a similar setup locally works as expected. The authenticated Windows user name is passed to Tomcat. How did you set up the s2wweb virtual directory? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder
Hi Mark, > Are you connecting from a machine that isn't part of the Windows AD? I have tried both from PCs connected to AD and from PCs not connected to AD. > Normally, I'd expect authentication to work without any password prompt. If I connect from PC AD I am not asked for credentials (correct). If I connect from a non-AD PC I am prompted for credentials (correctly). The credential check is done correctly by IIS. > Are any other authentication mechanisms enabled? For virtual directory "s2wweb" only "Windows Authentication" is enabled ("Anonymous Authentication" is disabled). For site "test" is enabled "Anonymous Authentication". > Are your two test machines (working and not working) connecting to the > same Tomcat instance (and on the same port)? Yes. Current IIS server needs to be migrated to a new IIS server. The current server (Windows Server 2008 R2 with IIS 6.1) is connected to the same Tomcat server (another Windows Server 2008 R2 with Tomcat 7.0) on the same port (8009). Thank you very much, Paolo Il giorno lun 12 lug 2021 alle ore 20:10 Mark Thomas ha scritto: > > On 12/07/2021 07:21, Paolo Clerici wrote: > > Hi Mark, > > 1) Start the Internet Information Services (IIS) Manager. > > 2) Locate and select site "test" in the IIS tree. > > 3) Double-click the Authentication icon. > > 4) Select Windows Authentication. > > 5) Click Enable in the Actions menu. > > 6) Restart IIS > > > > When I request the resource "https://qa-b2b.dasitgroup.it/s2wweb/"; I > > am asked for my Windows credentials. > > Are you connecting from a machine that isn't part of the Windows AD? > Normally, I'd expect authentication to work without any password prompt. > > Are any other authentication mechanisms enabled? > > Are your two test machines (working and not working) connecting to the > same Tomcat instance (and on the same port)? > > Mark > > > > > > Thank you, > > Paolo > > > > > > Il giorno ven 9 lug 2021 alle ore 18:56 Mark Thomas > > ha scritto: > >> > >> On 09/07/2021 16:59, Paolo Clerici wrote: > >>> I use IIS 10.0 as a reverse proxy of Tomcat 7. > >>> IIS 10.0 use Windows Authentication. > >>> When I run the javax.servlet.http.HttpServletRequest.getAuthType() > >>> method I get the null value. > >>> When I run the javax.servlet.http.HttpServletRequest.getRemoteUser() > >>> method I get the null value. > >>> Using IIS 6.1 with the same version of Tomcat everything works fine. > >>> When I run the javax.servlet.http.HttpServletRequest.getAuthType() > >>> method I get "NTLM" string. > >>> When I run the javax.servlet.http.HttpServletRequest.getRemoteUser() > >>> method I get the name of the user who authenticated with IIS. > >>> The configuration of the two versions of IIS appears to be the same. > >> > >> Clearly it isn't the same since when I tested this with IIS 10.0 it > >> worked exactly as expected. > >> > >>> Seems to be missing some AJP headers including: remote_user (0x03) and > >>> auth_type (0x04) which instead are sent from IIS 6.1. > >>> > >>> Below isapi connector debug log (auth and user are null): > >>> Fri Jul 09 17:00:52.743 2021] [4608:4712] [debug] > >>> init_ws_service::jk_isapi_plugin.c (3295): Service protocol=HTTP/1.1 > >>> method=GET host=10.10.12.102 addr=10.10.12.102 > >>> name=qa-b2b.dasitgroup.it port=443 auth=(null) user=(null) > >>> uri=/s2wweb/faces/login.xhtml > >> > >> That points to an IIS configuration issue. > >> How did you configure authentication? > >> > >> Mark > >> > >>> > >>> Product: Tomcat Connectors > >>> Component: isapi > >>> Version: 1.2.48 > >>> Windows version: Windows Server 2016 > >>> IIS Version: 10.0 > >>> Tomcat version: 7 > >> > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder
On 12/07/2021 07:21, Paolo Clerici wrote: Hi Mark, 1) Start the Internet Information Services (IIS) Manager. 2) Locate and select site "test" in the IIS tree. 3) Double-click the Authentication icon. 4) Select Windows Authentication. 5) Click Enable in the Actions menu. 6) Restart IIS When I request the resource "https://qa-b2b.dasitgroup.it/s2wweb/"; I am asked for my Windows credentials. Are you connecting from a machine that isn't part of the Windows AD? Normally, I'd expect authentication to work without any password prompt. Are any other authentication mechanisms enabled? Are your two test machines (working and not working) connecting to the same Tomcat instance (and on the same port)? Mark Thank you, Paolo Il giorno ven 9 lug 2021 alle ore 18:56 Mark Thomas ha scritto: On 09/07/2021 16:59, Paolo Clerici wrote: I use IIS 10.0 as a reverse proxy of Tomcat 7. IIS 10.0 use Windows Authentication. When I run the javax.servlet.http.HttpServletRequest.getAuthType() method I get the null value. When I run the javax.servlet.http.HttpServletRequest.getRemoteUser() method I get the null value. Using IIS 6.1 with the same version of Tomcat everything works fine. When I run the javax.servlet.http.HttpServletRequest.getAuthType() method I get "NTLM" string. When I run the javax.servlet.http.HttpServletRequest.getRemoteUser() method I get the name of the user who authenticated with IIS. The configuration of the two versions of IIS appears to be the same. Clearly it isn't the same since when I tested this with IIS 10.0 it worked exactly as expected. Seems to be missing some AJP headers including: remote_user (0x03) and auth_type (0x04) which instead are sent from IIS 6.1. Below isapi connector debug log (auth and user are null): Fri Jul 09 17:00:52.743 2021] [4608:4712] [debug] init_ws_service::jk_isapi_plugin.c (3295): Service protocol=HTTP/1.1 method=GET host=10.10.12.102 addr=10.10.12.102 name=qa-b2b.dasitgroup.it port=443 auth=(null) user=(null) uri=/s2wweb/faces/login.xhtml That points to an IIS configuration issue. How did you configure authentication? Mark Product: Tomcat Connectors Component: isapi Version: 1.2.48 Windows version: Windows Server 2016 IIS Version: 10.0 Tomcat version: 7 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder
Hi Mark, 1) Start the Internet Information Services (IIS) Manager. 2) Locate and select site "test" in the IIS tree. 3) Double-click the Authentication icon. 4) Select Windows Authentication. 5) Click Enable in the Actions menu. 6) Restart IIS When I request the resource "https://qa-b2b.dasitgroup.it/s2wweb/"; I am asked for my Windows credentials. Thank you, Paolo Il giorno ven 9 lug 2021 alle ore 18:56 Mark Thomas ha scritto: > > On 09/07/2021 16:59, Paolo Clerici wrote: > > I use IIS 10.0 as a reverse proxy of Tomcat 7. > > IIS 10.0 use Windows Authentication. > > When I run the javax.servlet.http.HttpServletRequest.getAuthType() > > method I get the null value. > > When I run the javax.servlet.http.HttpServletRequest.getRemoteUser() > > method I get the null value. > > Using IIS 6.1 with the same version of Tomcat everything works fine. > > When I run the javax.servlet.http.HttpServletRequest.getAuthType() > > method I get "NTLM" string. > > When I run the javax.servlet.http.HttpServletRequest.getRemoteUser() > > method I get the name of the user who authenticated with IIS. > > The configuration of the two versions of IIS appears to be the same. > > Clearly it isn't the same since when I tested this with IIS 10.0 it > worked exactly as expected. > > > Seems to be missing some AJP headers including: remote_user (0x03) and > > auth_type (0x04) which instead are sent from IIS 6.1. > > > > Below isapi connector debug log (auth and user are null): > > Fri Jul 09 17:00:52.743 2021] [4608:4712] [debug] > > init_ws_service::jk_isapi_plugin.c (3295): Service protocol=HTTP/1.1 > > method=GET host=10.10.12.102 addr=10.10.12.102 > > name=qa-b2b.dasitgroup.it port=443 auth=(null) user=(null) > > uri=/s2wweb/faces/login.xhtml > > That points to an IIS configuration issue. > How did you configure authentication? > > Mark > > > > > Product: Tomcat Connectors > > Component: isapi > > Version: 1.2.48 > > Windows version: Windows Server 2016 > > IIS Version: 10.0 > > Tomcat version: 7 > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and remote_user AJP heder
On 09/07/2021 16:59, Paolo Clerici wrote: I use IIS 10.0 as a reverse proxy of Tomcat 7. IIS 10.0 use Windows Authentication. When I run the javax.servlet.http.HttpServletRequest.getAuthType() method I get the null value. When I run the javax.servlet.http.HttpServletRequest.getRemoteUser() method I get the null value. Using IIS 6.1 with the same version of Tomcat everything works fine. When I run the javax.servlet.http.HttpServletRequest.getAuthType() method I get "NTLM" string. When I run the javax.servlet.http.HttpServletRequest.getRemoteUser() method I get the name of the user who authenticated with IIS. The configuration of the two versions of IIS appears to be the same. Clearly it isn't the same since when I tested this with IIS 10.0 it worked exactly as expected. Seems to be missing some AJP headers including: remote_user (0x03) and auth_type (0x04) which instead are sent from IIS 6.1. Below isapi connector debug log (auth and user are null): Fri Jul 09 17:00:52.743 2021] [4608:4712] [debug] init_ws_service::jk_isapi_plugin.c (3295): Service protocol=HTTP/1.1 method=GET host=10.10.12.102 addr=10.10.12.102 name=qa-b2b.dasitgroup.it port=443 auth=(null) user=(null) uri=/s2wweb/faces/login.xhtml That points to an IIS configuration issue. How did you configure authentication? Mark Product: Tomcat Connectors Component: isapi Version: 1.2.48 Windows version: Windows Server 2016 IIS Version: 10.0 Tomcat version: 7 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org