Thank you André for this analysis, I am an Oracle developer and I understand most of the reasoning in you answer, but I need to chew on it for some time and seek help in our organization for Kerberos knowledge.
Our application first only had a database authentication and over time more and more customers required SSO. So I configured Tomcat with Spnego based on an Oracle blog, and that worked fine in Tomcat 7 and 8. But now some customers want to upgrade to Tomcat 9.... The application only uses the HTTP variable :REMOTE_USER to decide if there is a SSO configuration present and if so links the Windows user to an application user and else de user has to login against the database to authenticate. Met vriendelijke groeten van Heidi Leerink - Duverger Technisch Consultant In business for people. Unit4 Business Software Netherlands B.V. Papendorpseweg 100, 3710 BJ Utrecht, Netherlands T +31 88 247 1444 E heidi.duver...@unit4.com This message and any attachment(s) are intended only for the use of the named recipient and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient, please notify the sender by return e-mail and delete this message from your system. Do not disclose the contents of this document to any other persons. Violation of this notice may be unlawful. Please note that internet communications are not secure and e-mails are susceptible to change. Thank you for your cooperation. -----Original Message----- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: vrijdag 6 september 2019 12:15 To: users@tomcat.apache.org Subject: Re: SSO fails on Tomcat 9 Hi Heidi. We have kind of a conundrum here : - Mark (who is one of the main tomcat developers) tested the SPNEGO (Kerberos) authentication under both tomcat8 and tomcat9, using the standard instructions provided in the respective on-line tomcat documentation pages, and reported that it works in both cases. - You report that your installation works with tomcat8, but not with tomcat9, and that you are using the same infrastructure and the same parameters in both cases. (Someone else also reported a case with problems with tomcat9). - The description of your problem (and the tomcat9 logfiles) seems to indicate a problem with the Kerberos "pre-authentication". (These lines of the log : >>>KRBError: ... error code is 25 error Message is Additional pre-authentication required ) And based on my own previous experience with Windows authentication in general (but not Kerberos), it is also my impression that your problem is at the Kerberos level, not really at the tomcat level. I have looked for "Kerberos Additional pre-authentication required" in the www, and despite the fact that I do not really know Kerberos, it seems that the error message above indicates that your browser and the server cannot even agree between them, to actually start exchanging Kerberos tokens (keys) between them, to complete a Kerberos authentication. (And that may be why you see a single 401 response in your logs, and why SPNEGO immediately concludes that the user is not authenticated). (There are also lines in that logfile, which seem to hint at some DNS (name resolution) issue, but that may be a false alarm or a secondary issue). One way to reconcile the above conflicting information, would be if for example some SPNEGO Valve parameter, in your configuration, would be unspecified and defaulting to some value in your case, and a different value in Mark's case. (Or vice-versa, that you are specifying a value, and Mark is using the default, and the result is not the same.) Another possibility would be that the available (or default) encryption methods are different between tomcat8 and tomcat9 (or between different browsers), and that in your case and Mark's, the browser and the server arrive at different encryption choices and cannot agree on a common one. It may be useful for you and Mark to compare in detail, the settings which you use for the SPNEGO Valve (and/or for encryption ?). Another very vague (and maybe wrong) suspicion that I would have is based on some questions : - does the tomcat hostname play a role in the Kerberos authentication ? - if yes, does the SPNEGO Valve obtain this name via some ".getServerName()"-like method, whose result may be different under tomcat8 and tomcat9 in some circumstances ? On 05.09.2019 22:10, Heidi Leerink - Duverger wrote: > Hello Mark, > > I have spent a lot of time comparing both T8 and T9 installations on de > nsl-decadetst.u4agr.com PC. > Sorry but I can't find a major difference in the conf file, apart from > differences Tomcat itself came with in the conf files. > The stdout is mainly the same and the stderr show in Tomcat 8 hduverge > authenticated and in Tomcat 9 not authenticated. > I'm lost now I have no ideas left where to look for differences or how to > find a solution for this major issue. > Attached once again the files from our Tomcat 8 and Tomcay 9 installation. > > Met vriendelijke groeten van > Heidi Leerink - Duverger > Technisch Consultant > > Met vriendelijke groeten van > Heidi Leerink - Duverger > Technisch Consultant > > > In business for people. > Unit4 Business Software Netherlands B.V. > Papendorpseweg 100, 3710 BJ Utrecht, Netherlands > T +31 88 247 1444 > E heidi.duver...@unit4.com > This message and any attachment(s) are intended only for the use of the named > recipient and may contain information that is privileged, confidential or > otherwise exempt from disclosure under applicable law. If you are not the > intended recipient, please notify the sender by return e-mail and delete this > message from your system. Do not disclose the contents of this document to > any other persons. Violation of this notice may be unlawful. Please note that > internet communications are not secure and e-mails are susceptible to change. > Thank you for your cooperation. > > -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: woensdag 4 september 2019 11:09 > To: users@tomcat.apache.org > Subject: Re: SSO fails on Tomcat 9 > > Heidi, > > I have just completed the tests and SPNEGO works as expected with both Tomcat > 8.5.x and 9.0.x. > > The test environment was as per: > https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftomcat.apache.org%2Ftomcat-9.0-doc%2Fwindows-auth-howto.html&data=01%7C01%7Cheidi.duverger%40unit4.com%7C437f0484819b4e0a26ba08d732b2d99b%7Cee137cc45d4343cf9da5f75728b8d21f%7C1&sdata=F9nE3kUvvTfS%2BbY5oQbC015w0LamzRihWV9RpvNZkiY%3D&reserved=0 > > with the following changes: > - Updated the Domain Controller and Tomcat instance with all the latest > patches from Windows update > - Oracle Java 1.8.0u162 / Adopt OpenJDK Java 11.0.4_11 (tested Tomcat > running under both) > - Tomcat 8.5.x, Tomcat 9.0.x (current HEAD at the time of writing), > 9.0.24 (from the tag) > > The test environment uses separate CATALINA_HOME / CATALINA_BASE so the > Tomcat instance configuration (CATALINA_BASE) is guaranteed to be identical > while I vary the Tomcat binary (CATALINA_HOME) to use. > > > It looks like there is something not quite right with the Tomcat 9 > configuration. > > You could try adding: > > -Dsun.security.spnego.debug=true > > in setenv.bat. That might provide some insight although I've had mixed > experience using that to debug SPNEGO issues in the past. > > <snip/> > >>> Thank you for your help with this, it must be that Tomcat 9 SPNEGO is more >>> strict than the Tomcat 8 implementation was... > I haven't found any evidence to support the above conclusion at this point. > All the evidence so far (diff of the relevant code and my own test > environment) points to a configuration difference in your Tomcat 9 > installation. > > You mentioned starting and stopping services. I wondered if the change of > default user from "Local System" to "Local Service" had triggered this issue > but that makes no difference. > > Looking at your log files in more detail, I do notice a few things: > > -Djava.security.krb5.ini=... > > The above system property is incorrect. It should be: > > -Djava.security.krb5.conf=... > > It won't impact your environment because it appears to be set to the default. > This affects both Tomcat 8 and Tomcat 9. > > The conf\krb5.ini does not specify the keytab file. In the config files in > the Tomcat docs this looks like: > default_keytab_name = FILE:c:\apache-tomcat-9.0.x\conf\tomcat.keytab > > The debug logs for the authentication processes look very different. > That strongly suggests that the configurations are not the same. I would > concentrated on comparing the configuration of the two systems. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
