-----Original Message-----
From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
Sent: Thursday, July 06, 2017 2:47 PM
To: users@tomcat.apache.org
Subject: Re: TOMCAT 8.5.15 - on windows 7 server - Password for Service 
Username disappears

On 06.07.2017 18:17, Fau Buitron wrote:
>
> -----Original Message-----
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
> Sent: Thursday, July 06, 2017 12:04 PM
> To: users@tomcat.apache.org
> Subject: Re: TOMCAT 8.5.15 - on windows 7 server - Password for 
> Service Username disappears
>
> Hi.
> On this list, it is preferred/recommended/strongly recommended to respond 
> *below* the original message, and not to "top post".
> It just makes it easier to follow the normal flow of a conversation.
> See the rules : http://tomcat.apache.org/lists.html#tomcat-users  #6  
> >
>> -----Original Message-----
>> From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
>> Sent: Thursday, July 06, 2017 11:35 AM
>> To: users@tomcat.apache.org
>> Subject: Re: TOMCAT 8.5.15 - on windows 7 server - Password for 
>> Service Username disappears
>>
>> On 06.07.2017 17:13, Fau Buitron wrote:
>>> Hi All,
>>>
>>>        I am running TOMCAT 8.5.15 on a Windows 7 server with SP1. Although 
>>> it is not consistent, the password value for the specific username used to 
>>> run the TOMCAT service disappears when the service is stop and started 
>>> again. The starting of the service fails because the value of the password 
>>> disappears.
>>>
>>>        Once the password value is re-entered with the password value, the 
>>> TOMCAT service starts without any issues, has anyone encountered this issue?
>>>
>>>         I look forward to your response.
>>>
>>>
>>
>> Hi.
>> I have never seen the behaviour which you describe above, although I 
>> regularly run Tomcat as a Service on Windows systems, in multiple customer 
>> networks.
>> First, maybe something which you should read :
>> https://wiki.apache.org/tomcat/FAQ/Windows#Q11
>>
>> In a way, this explains why the Tomcat code itself is very unlikely to 
>> contain anything which would modify this Windows user's password. (If 
>> anything, it would be the "wrapper"
>> program described in that article.)
>>
>> My guess would be at this point : if the user-id in question is a Windows 
>> Domain user-id, then mybe some Windows network policy is the cause of this 
>> password reset.
>> Ask your Windows network sysadmins.
>>
>> Hope this helps.
>>
> On 06.07.2017 17:48, Fau Buitron wrote:
>> Hi Andre,
>>
>>    Thank you for your response and feedback. I had reached out to our 
>> windows support group only to be told that it must be caused by the third 
>> party product.
>> What's worse is that all installations of TOMCAT (Stage and Production) 
>> encounter the same behavior when the service itself it stopped.
>>
>>    I was reaching out to the TOMCAT user community in the event that 
>> there might be a permission that needs to be granted to a file in which the 
>> service account Username and password might need to be entered.
>>
>>    So I am once again at square one, however, I will follow your suggestion 
>> and reach out to the networking group to see if they can shed light on this 
>> situation.
>>
>> Thank you.
>>
>> Fau
>>
>
> Another suggestion : if you have read the article to which I pointed you, you 
> will see that the "wrapper" program which actually runs the JVM which runs 
> Tomcat, actually stores its parameters in the Windows Registry.
> It is the same for the userid/password which you enter in the service 
> description.
> So maybe it is not an issue linked to Tomcat per se, but instead due to the 
> fact that by entering this password, you are modifying the Registry.
> And perhaps there is some network script which regularly removes such 
> changes, when made by a user who does not have the correct permissions to do 
> so ?
> It may thus be that it is not the Tomcat start/stop per se which resets this 
> password, but that this happens asynchronously, and that you just notice it 
> when you are trying to restart Tomcat.
>
> You could try the following experiment :
> - set the password for that user, start Tomcat as usual, and leave it 
> running
> - then, after a suitable pause, try to login to that same workstation, as 
> this Tomcat user, using the same password which you set.
> If it does not work, then you know that it has nothing to do with stopping 
> Tomcat.
>
> Hi Andre,
>
>     The experiment that you described is exactly what is occurring, except it 
> is not a TOMCAT user, as it is the actual username and password which is used 
> to run the TOMCAT service itself.

Yes, that is what I meant. I meant "use the user-id/password that you have 
configured for the Tomcat Service, to actually try to login (interactively) to 
Windows on that machine."

> The TOMCAT service runs, but if the TOMCAT service is stopped (does 
> not occur at all instances), the password field for the user is no 
> longer present
and needs to be re-entered. I could do
> a search within the registry, however the value for the password will more 
> like be encrypted, as it appears within the password field of the service 
> logon tab, so is the value of the password really present?

Indeed it may not be, if this is a domain user, as you seem to indicate below.
Which triggers another question : can you not define a local user on this 
machine, and use that one to run Tomcat ? Or, can you not use the default 
Services user, which is normally "LocalSystem" or similar ?
(The only reason why you may be forced to use an AD domain user, would be if 
some application running within Tomcat, needs access to some non-local Windows 
domain resource).

The point of all this is to try to narrow down as much as possible the 
circumstances under which this happens (vs does not happen), since the code of 
Tomcat itself is certainly not resetting the password of the user-id under 
which that service is running.

> I am reaching out to the security group to determine if the AD username has 
> similar properties as other service account username/passwords.
> Thank you for your assistance and response.

   Hi Andre,
    
     Thank you for your assistance, support and ideas..The problem has been 
resolved. The Service Account userid needed to be set in AD as "Logon as 
Service" this was causing the problem.
The following link helped to determine this issue and how to resolve: 
https://www.puryear-it.com/you-have-to-update-a-service-account-password-after-every-windows-server-reboot


>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to