Hi Mark,
> Are you connecting from a machine that isn't part of the Windows AD?
I have tried both from PCs connected to AD and from PCs not connected to AD.
> Normally, I'd expect authentication to work without any password prompt.
If I connect from PC AD I am not asked for credentials (correct). If I
connect from a non-AD PC I am prompted for credentials (correctly).
The credential check is done correctly by IIS.
> Are any other authentication mechanisms enabled?
For virtual directory "s2wweb" only "Windows Authentication" is
enabled ("Anonymous Authentication" is disabled). For site "test" is
enabled "Anonymous Authentication".
> Are your two test machines (working and not working) connecting to the
> same Tomcat instance (and on the same port)?
Yes.
Current IIS server needs to be migrated to a new IIS server. The
current server (Windows Server 2008 R2 with IIS 6.1) is connected to
the same Tomcat server (another Windows Server 2008 R2 with Tomcat
7.0) on the same port (8009).
Thank you very much,
Paolo
Il giorno lun 12 lug 2021 alle ore 20:10 Mark Thomas
<ma...@apache.org> ha scritto:
>
> On 12/07/2021 07:21, Paolo Clerici wrote:
> > Hi Mark,
> > 1) Start the Internet Information Services (IIS) Manager.
> > 2) Locate and select site "test" in the IIS tree.
> > 3) Double-click the Authentication icon.
> > 4) Select Windows Authentication.
> > 5) Click Enable in the Actions menu.
> > 6) Restart IIS
> >
> > When I request the resource "https://qa-b2b.dasitgroup.it/s2wweb/"; I
> > am asked for my Windows credentials.
>
> Are you connecting from a machine that isn't part of the Windows AD?
> Normally, I'd expect authentication to work without any password prompt.
>
> Are any other authentication mechanisms enabled?
>
> Are your two test machines (working and not working) connecting to the
> same Tomcat instance (and on the same port)?
>
> Mark
>
>
> >
> > Thank you,
> > Paolo
> >
> >
> > Il giorno ven 9 lug 2021 alle ore 18:56 Mark Thomas <ma...@apache.org>
> > ha scritto:
> >>
> >> On 09/07/2021 16:59, Paolo Clerici wrote:
> >>> I use IIS 10.0 as a reverse proxy of Tomcat 7.
> >>> IIS 10.0 use Windows Authentication.
> >>> When I run the javax.servlet.http.HttpServletRequest.getAuthType()
> >>> method I get the null value.
> >>> When I run the javax.servlet.http.HttpServletRequest.getRemoteUser()
> >>> method I get the null value.
> >>> Using IIS 6.1 with the same version of Tomcat everything works fine.
> >>> When I run the javax.servlet.http.HttpServletRequest.getAuthType()
> >>> method I get "NTLM" string.
> >>> When I run the javax.servlet.http.HttpServletRequest.getRemoteUser()
> >>> method I get the name of the user who authenticated with IIS.
> >>> The configuration of the two versions of IIS appears to be the same.
> >>
> >> Clearly it isn't the same since when I tested this with IIS 10.0 it
> >> worked exactly as expected.
> >>
> >>> Seems to be missing some AJP headers including: remote_user (0x03) and
> >>> auth_type (0x04) which instead are sent from IIS 6.1.
> >>>
> >>> Below isapi connector debug log (auth and user are null):
> >>> Fri Jul 09 17:00:52.743 2021] [4608:4712] [debug]
> >>> init_ws_service::jk_isapi_plugin.c (3295): Service protocol=HTTP/1.1
> >>> method=GET host=10.10.12.102 addr=10.10.12.102
> >>> name=qa-b2b.dasitgroup.it port=443 auth=(null) user=(null)
> >>> uri=/s2wweb/faces/login.xhtml
> >>
> >> That points to an IIS configuration issue.
> >> How did you configure authentication?
> >>
> >> Mark
> >>
> >>>
> >>> Product: Tomcat Connectors
> >>> Component: isapi
> >>> Version: 1.2.48
> >>> Windows version: Windows Server 2016
> >>> IIS Version: 10.0
> >>> Tomcat version: 7
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
