Hi Matthias, I suspect your issue is: address="::" You probably want address="0.0.0.0" or the ipv4 IP address that your tomcat instance is listening on. :: allows any on IPv6, but for IPv4 I suspect that tomcat would still be listening only on 127.0.0.1
Regards, Stephen On Wed, 4 Mar 2020 at 15:20, Matthias Fechner <ide...@fechner.net> wrote: > Dear all, > > as tomcat version 9.0.31 has some security fixes included I tried to do > an upgrade. > On the IIS tomcat connector version 1.2.46 is installed. > > As secret I use a 32 character long alpha numeric string, I name it here > token. > In the workers.properties I tried to define it on the load balancer > line: > worker.loadbalancer.secret=token > > And/or on each node: > worker.node1.secret=token > ... > worker.node2.secret=token > > For the tomcat configuration I defined in server.xml the following AJP > connector: > <Connector protocol="AJP/1.3" > address="::" > port="8009" > tomcatAuthentication="false" > enableLookups="false" > secret="token" > redirectPort="8443" /> > > But it does not work. It seems that tomcat does not answer here. > If I downgrade to tomcat 9.0.29 it works without any problems. > > I started then wireshark and had a look into the traffic coming from the > IIS. > From IIS is see a AJP13 connection with the following content in "Apache > JServ Protocol v1.3" part in wireshark: > ... > Sec-Fetch-User: ?1 > token > INTERNAL\user > Negotiate > ... > > as the token is here included the secret configuration is maybe correct. > The token is here equal to the token define on IIS-tomcat-connector and > the tomcat server.xml AJP definition. > Tomcat is sending back a "0:RSP:SEND HEADERS:403 403" > > The IIS is doing authentication is is then just sending the user to > tomcat. > > Regarding the documentation everything seems to be configured correctly, > but it does not work. > Could anyone help me here, please? > > -- > Thanks a lot > Matthias > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- _________________________________________________ Stephen Hames, Systems Architect & Release Manager Singapore | +65 6403 5900 CloudPay <https://www.cloudpay.net/> -- _________________________________________________ Stephen Hames, Systems Architect & Release Manager Singapore | +65 6403 5900 CloudPay <https://www.cloudpay.net/> -- This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete this message.