We have the following problem with connecting from the tomcat environment 9.024 with the Active Directory of Windows, Kerberos database. (win2008 DC's) In Tomcat's log files, with Tomcat8, which gives no problems, it is connected to the Active directory. It indicates that a login attempt is made 3 times whether the person can log in with the Active directory account. After that the login is accepted and qualified as successful.
In tomcat 9, different versions tried, also version 9.024, the control of 1
attempt becomes visible,
which is successful. But then the check is stopped (not 3 times as Tomcat8) and
the connection is marked as unsuccessful.
The environment for Tomcat9 is the same as from Tomcat8.
Windows 10 PRO
Oracle database rdbms 11.203
Apex 4.2.3.008
Ords2019 - Oracle listener
ojdbc6.jar
Tried both java versions:
E:\java\jre64b\bin>java -version
java version "1.8.0_202"
Java(TM) SE Runtime Environment (build 1.8.0_202-b08)
Java HotSpot(TM) 64-Bit Server VM (build 25.202-b08, mixed mode)
And
E:\java\openjdk\bin>java -version
openjdk version "11.0.1" 2018-10-16
OpenJDK Runtime Environment 18.9 (build 11.0.1+13)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.1+13, mixed mode)
Tomcat 9.024 directory structure.
( log files in the attachments )
e:\Tomcat9\
\Cataline\localhost\apex42a.xml
+++...+++
<?xml version="1.0" encoding="UTF-8"?>
<Context>
<Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator"
loginConfigName="APEX42A"
/>
<Realm className="org.apache.catalina.realm.JAASRealm"
allRolesMode="authOnly"
appName="APEX42A"
/>
</Context>
+++...+++
\conf\jaas.conf
+++...+++
APEX42A {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/nlsl-decadetst.u4agr....@u4agr.com"
useKeyTab=true
keyTab="E:/Decade_appl/Tomcat9/conf/tomcat.keytab"
storeKey=true;
};
+++...+++
\conf\krb5.ini
+++...+++
[libdefaults]
default_realm = U4AGR.COM
default_tkt_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
permitted_enctypes = rc4-hmac aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
dns_lookup_kdc = true
dns_lookup_relam = false
[realms]
U4AGR.COM = {
kdc = u4agr.com
default_domain = U4AGR.COM
}
[domain_realm]
.u4agr.com= U4AGR.COM
u4agr.com= U4AGR.COM
+++...+++
\conf\tomcat.keytab
Creation statement for tomcat.keytab:
ktpass /out c:\Temp\tomcat.keytab /mapuser DECADE_SSO_TC.U4AGR.COM /princ
HTTP/nlsl-decadetst.u4agr....@u4agr.com /pass "D3cad3401" /kvno 0 -ptype
KRB5_NT_PRINCIPAL
ktpass /out c:\temp\1c-tomcat.keytab /mapuser DECADE_SSO_TC.U4AGR.COM /princ
HTTP/nlsl-decadetst.u4agr....@u4agr.com /pass "D3cad3401" -crypto All /kvno 0
-ptype KRB5_NT_PRINCIPAL
\webapps\apex42a\WEB-INF\web.xml
+++...+++
<servlet-mapping>
<servlet-name>Forbidden</servlet-name>
<url-pattern>/oracle/dbtools/jarcl</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>APEX42A</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
+++...+++
Met vriendelijke groeten van
Heidi Leerink - Duverger
Technisch Consultant
[Unit4]
In business for people.
Unit4 Business Software Netherlands B.V.
Papendorpseweg 100, 3710 BJ Utrecht, Netherlands
T +31 88 247 1444
E heidi.duver...@unit4.com
This message and any attachment(s) are intended only for the use of the named
recipient and may contain information that is privileged, confidential or
otherwise exempt from disclosure under applicable law. If you are not the
intended recipient, please notify the sender by return e-mail and delete this
message from your system. Do not disclose the contents of this document to any
other persons. Violation of this notice may be unlawful. Please note that
internet communications are not secure and e-mails are susceptible to change.
Thank you for your cooperation.
<<attachment: Tomcat8LogFiles.zip>>
<<attachment: Tomcat9LogFiles.zip>>
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
