You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Paolo Clerici <cl...@gmail.com> on 2021/07/09 15:59:48 UTC
IIS 10.0 as Tomcat reverse proxy does not send auth_type and
remote_user AJP heder
I use IIS 10.0 as a reverse proxy of Tomcat 7.
IIS 10.0 use Windows Authentication.
When I run the javax.servlet.http.HttpServletRequest.getAuthType()
method I get the null value.
When I run the javax.servlet.http.HttpServletRequest.getRemoteUser()
method I get the null value.
Using IIS 6.1 with the same version of Tomcat everything works fine.
When I run the javax.servlet.http.HttpServletRequest.getAuthType()
method I get "NTLM" string.
When I run the javax.servlet.http.HttpServletRequest.getRemoteUser()
method I get the name of the user who authenticated with IIS.
The configuration of the two versions of IIS appears to be the same.
Seems to be missing some AJP headers including: remote_user (0x03) and
auth_type (0x04) which instead are sent from IIS 6.1.
Below isapi connector debug log (auth and user are null):
Fri Jul 09 17:00:52.743 2021] [4608:4712] [debug]
init_ws_service::jk_isapi_plugin.c (3295): Service protocol=HTTP/1.1
method=GET host=10.10.12.102 addr=10.10.12.102
name=qa-b2b.dasitgroup.it port=443 auth=(null) user=(null)
uri=/s2wweb/faces/login.xhtml
Product: Tomcat Connectors
Component: isapi
Version: 1.2.48
Windows version: Windows Server 2016
IIS Version: 10.0
Tomcat version: 7
Thank you,
Paolo Clerici
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and
remote_user AJP heder
Posted by Paolo Clerici <cl...@gmail.com>.
> Sorry, I haven't read the whole thread, but a basic question :
> In the tomcat AJP Connector configuration, is "tomcatAuthentication" set to "no" ?
tomcatAuthentication is disabled (see configuration below)
<Connector port="8009" tomcatAuthentication="false" protocol="AJP/1.3"
redirectPort="8443" />
The same Tomcat instance with an IIS 6.1 as a reverse proxy works fine.
Thanks,
Paolo
Il giorno gio 15 lug 2021 alle ore 15:29 André Warnier (tomcat/perl)
<aw...@ice-sa.com> ha scritto:
>
> Sorry, I haven't read the whole thread, but a basic question :
> In the tomcat AJP Connector configuration, is "tomcatAuthentication" set to "no" ?
> https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Common_Attributes
>
> On 13.07.2021 17:35, Paolo Clerici wrote:
> >> I don't see any ISAPI redirector set up there. I was expecting to see
> >> something like the steps described here:
> >> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
> > Yes, if I have not missed something, I think I have done everything
> > that is written in the document.
> > The only differences are that there are two sites "prod" and "test" so
> > the only differences for "test" are:
> > 1) Dll folder: C:\Apache Software Foundation\Jakarta Isapi Redirector\test\bin
> > 2) ISAPI filter name: "Jakarta Connector test" (not "tomcat")
> >
> > isapi_redirect.properties file content:
> > extension_uri=/jakarta/isapi_redirect.dll
> > log_file=C:\Apache Software Foundation\Jakarta Isapi
> > Redirector\test\log\mod_jk.log
> > log_level=warn
> > worker_file=C:\Apache Software Foundation\Jakarta Isapi
> > Redirector\test\conf\workers.properties
> > worker_mount_file=C:\Apache Software Foundation\Jakarta Isapi
> > Redirector\test\conf\uriworkermap.properties
> >
> > workers.properties file content:
> > worker.list=dgroupnex02,dgroupnex01
> > worker.dgroupnex02.type=ajp13
> > worker.dgroupnex02.host=10.1.2.93
> > worker.dgroupnex02.port=8009
> > worker.dgroupnex01.type=ajp13
> > worker.dgroupnex01.host=10.1.2.39
> > worker.dgroupnex01.port=8009
> >
> > uriworkermap.properties file content:
> > /S2W/*=dgroupnex02
> > /s2wweb/*=dgroupnex01
> > /websat/*=dgroupnex02
> >
> > I would like to tell you that ISAPI redirection of all virtual folders
> > works perfectly. The only thing that doesn't work is sending the
> > authorization type and user from IIS to Tomcat.
> > The only application that needs this functionality is "s2wweb".
> >
> > Thanks,
> > Paolo
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Il giorno mar 13 lug 2021 alle ore 14:44 Mark Thomas
> > <ma...@apache.org> ha scritto:
> >>
> >> On 13/07/2021 12:29, Paolo Clerici wrote:
> >>> Hi Mark,
> >>>
> >>>> How did you set up the s2wweb virtual directory?
> >>> Physical Path: C:\Apache Software Foundation\virtual\test\s2wweb
> >>> Physical Path Credential: blank
> >>> Physical Path Credential Logon Type: Clear Text
> >>> Virtual Path: /s2wweb
> >>> Pass-through authentication: / Connect As: / Path credentials:
> >>> Application user (pass-through authentication)
> >>
> >> I don't see any ISAPI redirector set up there. I was expecting to see
> >> something like the steps described here:
> >>
> >> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
> >>
> >> Mark
> >>
> >>
> >>>
> >>> Thanks,
> >>> Paolo
> >>> Il giorno mar 13 lug 2021 alle ore 10:27 Mark Thomas
> >>> <ma...@apache.org> ha scritto:
> >>>>
> >>>> On 13/07/2021 08:49, Paolo Clerici wrote:
> >>>>> Hi Mark,
> >>>>>
> >>>>>> Are you connecting from a machine that isn't part of the Windows AD?
> >>>>> I have tried both from PCs connected to AD and from PCs not connected to AD.
> >>>>>
> >>>>>> Normally, I'd expect authentication to work without any password prompt.
> >>>>> If I connect from PC AD I am not asked for credentials (correct). If I
> >>>>> connect from a non-AD PC I am prompted for credentials (correctly).
> >>>>> The credential check is done correctly by IIS.
> >>>>>
> >>>>>> Are any other authentication mechanisms enabled?
> >>>>> For virtual directory "s2wweb" only "Windows Authentication" is
> >>>>> enabled ("Anonymous Authentication" is disabled). For site "test" is
> >>>>> enabled "Anonymous Authentication".
> >>>>>
> >>>>>> Are your two test machines (working and not working) connecting to the
> >>>>>> same Tomcat instance (and on the same port)?
> >>>>> Yes.
> >>>>> Current IIS server needs to be migrated to a new IIS server. The
> >>>>> current server (Windows Server 2008 R2 with IIS 6.1) is connected to
> >>>>> the same Tomcat server (another Windows Server 2008 R2 with Tomcat
> >>>>> 7.0) on the same port (8009).
> >>>>
> >>>> Again, testing a similar setup locally works as expected. The
> >>>> authenticated Windows user name is passed to Tomcat.
> >>>>
> >>>> How did you set up the s2wweb virtual directory?
> >>>>
> >>>> Mark
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: users-help@tomcat.apache.org
> >>>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and
remote_user AJP heder
Posted by "André Warnier (tomcat/perl)" <aw...@ice-sa.com>.
Sorry, I haven't read the whole thread, but a basic question :
In the tomcat AJP Connector configuration, is "tomcatAuthentication" set to "no" ?
https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Common_Attributes
On 13.07.2021 17:35, Paolo Clerici wrote:
>> I don't see any ISAPI redirector set up there. I was expecting to see
>> something like the steps described here:
>> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
> Yes, if I have not missed something, I think I have done everything
> that is written in the document.
> The only differences are that there are two sites "prod" and "test" so
> the only differences for "test" are:
> 1) Dll folder: C:\Apache Software Foundation\Jakarta Isapi Redirector\test\bin
> 2) ISAPI filter name: "Jakarta Connector test" (not "tomcat")
>
> isapi_redirect.properties file content:
> extension_uri=/jakarta/isapi_redirect.dll
> log_file=C:\Apache Software Foundation\Jakarta Isapi
> Redirector\test\log\mod_jk.log
> log_level=warn
> worker_file=C:\Apache Software Foundation\Jakarta Isapi
> Redirector\test\conf\workers.properties
> worker_mount_file=C:\Apache Software Foundation\Jakarta Isapi
> Redirector\test\conf\uriworkermap.properties
>
> workers.properties file content:
> worker.list=dgroupnex02,dgroupnex01
> worker.dgroupnex02.type=ajp13
> worker.dgroupnex02.host=10.1.2.93
> worker.dgroupnex02.port=8009
> worker.dgroupnex01.type=ajp13
> worker.dgroupnex01.host=10.1.2.39
> worker.dgroupnex01.port=8009
>
> uriworkermap.properties file content:
> /S2W/*=dgroupnex02
> /s2wweb/*=dgroupnex01
> /websat/*=dgroupnex02
>
> I would like to tell you that ISAPI redirection of all virtual folders
> works perfectly. The only thing that doesn't work is sending the
> authorization type and user from IIS to Tomcat.
> The only application that needs this functionality is "s2wweb".
>
> Thanks,
> Paolo
>
>
>
>
>
>
>
>
>
> Il giorno mar 13 lug 2021 alle ore 14:44 Mark Thomas
> <ma...@apache.org> ha scritto:
>>
>> On 13/07/2021 12:29, Paolo Clerici wrote:
>>> Hi Mark,
>>>
>>>> How did you set up the s2wweb virtual directory?
>>> Physical Path: C:\Apache Software Foundation\virtual\test\s2wweb
>>> Physical Path Credential: blank
>>> Physical Path Credential Logon Type: Clear Text
>>> Virtual Path: /s2wweb
>>> Pass-through authentication: / Connect As: / Path credentials:
>>> Application user (pass-through authentication)
>>
>> I don't see any ISAPI redirector set up there. I was expecting to see
>> something like the steps described here:
>>
>> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
>>
>> Mark
>>
>>
>>>
>>> Thanks,
>>> Paolo
>>> Il giorno mar 13 lug 2021 alle ore 10:27 Mark Thomas
>>> <ma...@apache.org> ha scritto:
>>>>
>>>> On 13/07/2021 08:49, Paolo Clerici wrote:
>>>>> Hi Mark,
>>>>>
>>>>>> Are you connecting from a machine that isn't part of the Windows AD?
>>>>> I have tried both from PCs connected to AD and from PCs not connected to AD.
>>>>>
>>>>>> Normally, I'd expect authentication to work without any password prompt.
>>>>> If I connect from PC AD I am not asked for credentials (correct). If I
>>>>> connect from a non-AD PC I am prompted for credentials (correctly).
>>>>> The credential check is done correctly by IIS.
>>>>>
>>>>>> Are any other authentication mechanisms enabled?
>>>>> For virtual directory "s2wweb" only "Windows Authentication" is
>>>>> enabled ("Anonymous Authentication" is disabled). For site "test" is
>>>>> enabled "Anonymous Authentication".
>>>>>
>>>>>> Are your two test machines (working and not working) connecting to the
>>>>>> same Tomcat instance (and on the same port)?
>>>>> Yes.
>>>>> Current IIS server needs to be migrated to a new IIS server. The
>>>>> current server (Windows Server 2008 R2 with IIS 6.1) is connected to
>>>>> the same Tomcat server (another Windows Server 2008 R2 with Tomcat
>>>>> 7.0) on the same port (8009).
>>>>
>>>> Again, testing a similar setup locally works as expected. The
>>>> authenticated Windows user name is passed to Tomcat.
>>>>
>>>> How did you set up the s2wweb virtual directory?
>>>>
>>>> Mark
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and
remote_user AJP heder
Posted by Mark Thomas <ma...@apache.org>.
On 19/07/2021 10:20, Mark Thomas wrote:
> On 13/07/2021 16:35, Paolo Clerici wrote:
>>> I don't see any ISAPI redirector set up there. I was expecting to see
>>> something like the steps described here:
>>> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
>> Yes, if I have not missed something, I think I have done everything
>> that is written in the document.
>> The only differences are that there are two sites "prod" and "test" so
>> the only differences for "test" are:
>> 1) Dll folder: C:\Apache Software Foundation\Jakarta Isapi
>> Redirector\test\bin
>> 2) ISAPI filter name: "Jakarta Connector test" (not "tomcat")
>>
>> isapi_redirect.properties file content:
>> extension_uri=/jakarta/isapi_redirect.dll
>> log_file=C:\Apache Software Foundation\Jakarta Isapi
>> Redirector\test\log\mod_jk.log
>> log_level=warn
>> worker_file=C:\Apache Software Foundation\Jakarta Isapi
>> Redirector\test\conf\workers.properties
>> worker_mount_file=C:\Apache Software Foundation\Jakarta Isapi
>> Redirector\test\conf\uriworkermap.properties
>>
>> workers.properties file content:
>> worker.list=dgroupnex02,dgroupnex01
>> worker.dgroupnex02.type=ajp13
>> worker.dgroupnex02.host=10.1.2.93
>> worker.dgroupnex02.port=8009
>> worker.dgroupnex01.type=ajp13
>> worker.dgroupnex01.host=10.1.2.39
>> worker.dgroupnex01.port=8009
>>
>> uriworkermap.properties file content:
>> /S2W/*=dgroupnex02
>> /s2wweb/*=dgroupnex01
>> /websat/*=dgroupnex02
>>
>> I would like to tell you that ISAPI redirection of all virtual folders
>> works perfectly. The only thing that doesn't work is sending the
>> authorization type and user from IIS to Tomcat.
>> The only application that needs this functionality is "s2wweb".
>
> How did you create the s2wweb virtual directory? Please provide exact
> steps. Was is created under the test site or under the jakarta virtual
> directory?
>
> To be honest, I am far from convinced that I have recreated your
> configuration. Receiving the configuration bit by bit and ambiguities in
> the information received (is the test site configured for anon
> authentication, windows authentication or both?) makes me thing at least
> one key bit of information is missing.
>
> Can you provide the complete set of steps required to configure a clean
> IIS 10 install to recreate this issue?
I have also been trying to recreate your IIS 6.1 setup without success.
Which versions are you using for:
- operating system
- ISAPI connector
- Tomcat
?
And, similarly to above, what are the steps to recreate your test setup
from a clean IIS install?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and
remote_user AJP heder
Posted by Paolo Clerici <cl...@gmail.com>.
Hi Mark,
Today I finally managed to solve the problem.
The problem was due to the fact that Windows Authentication was
enabled only at the level of the "s2wweb" virtual folder and not at
the level of the "Jackarta Connector" virtual folder (at the same
level as "s2wweb").
Thanks for the support and sorry for the mistake.
Paolo
Il giorno lun 19 lug 2021 alle ore 11:21 Mark Thomas
<ma...@apache.org> ha scritto:
>
> On 13/07/2021 16:35, Paolo Clerici wrote:
> >> I don't see any ISAPI redirector set up there. I was expecting to see
> >> something like the steps described here:
> >> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
> > Yes, if I have not missed something, I think I have done everything
> > that is written in the document.
> > The only differences are that there are two sites "prod" and "test" so
> > the only differences for "test" are:
> > 1) Dll folder: C:\Apache Software Foundation\Jakarta Isapi Redirector\test\bin
> > 2) ISAPI filter name: "Jakarta Connector test" (not "tomcat")
> >
> > isapi_redirect.properties file content:
> > extension_uri=/jakarta/isapi_redirect.dll
> > log_file=C:\Apache Software Foundation\Jakarta Isapi
> > Redirector\test\log\mod_jk.log
> > log_level=warn
> > worker_file=C:\Apache Software Foundation\Jakarta Isapi
> > Redirector\test\conf\workers.properties
> > worker_mount_file=C:\Apache Software Foundation\Jakarta Isapi
> > Redirector\test\conf\uriworkermap.properties
> >
> > workers.properties file content:
> > worker.list=dgroupnex02,dgroupnex01
> > worker.dgroupnex02.type=ajp13
> > worker.dgroupnex02.host=10.1.2.93
> > worker.dgroupnex02.port=8009
> > worker.dgroupnex01.type=ajp13
> > worker.dgroupnex01.host=10.1.2.39
> > worker.dgroupnex01.port=8009
> >
> > uriworkermap.properties file content:
> > /S2W/*=dgroupnex02
> > /s2wweb/*=dgroupnex01
> > /websat/*=dgroupnex02
> >
> > I would like to tell you that ISAPI redirection of all virtual folders
> > works perfectly. The only thing that doesn't work is sending the
> > authorization type and user from IIS to Tomcat.
> > The only application that needs this functionality is "s2wweb".
>
> How did you create the s2wweb virtual directory? Please provide exact
> steps. Was is created under the test site or under the jakarta virtual
> directory?
>
> To be honest, I am far from convinced that I have recreated your
> configuration. Receiving the configuration bit by bit and ambiguities in
> the information received (is the test site configured for anon
> authentication, windows authentication or both?) makes me thing at least
> one key bit of information is missing.
>
> Can you provide the complete set of steps required to configure a clean
> IIS 10 install to recreate this issue?
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and
remote_user AJP heder
Posted by Mark Thomas <ma...@apache.org>.
On 13/07/2021 16:35, Paolo Clerici wrote:
>> I don't see any ISAPI redirector set up there. I was expecting to see
>> something like the steps described here:
>> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
> Yes, if I have not missed something, I think I have done everything
> that is written in the document.
> The only differences are that there are two sites "prod" and "test" so
> the only differences for "test" are:
> 1) Dll folder: C:\Apache Software Foundation\Jakarta Isapi Redirector\test\bin
> 2) ISAPI filter name: "Jakarta Connector test" (not "tomcat")
>
> isapi_redirect.properties file content:
> extension_uri=/jakarta/isapi_redirect.dll
> log_file=C:\Apache Software Foundation\Jakarta Isapi
> Redirector\test\log\mod_jk.log
> log_level=warn
> worker_file=C:\Apache Software Foundation\Jakarta Isapi
> Redirector\test\conf\workers.properties
> worker_mount_file=C:\Apache Software Foundation\Jakarta Isapi
> Redirector\test\conf\uriworkermap.properties
>
> workers.properties file content:
> worker.list=dgroupnex02,dgroupnex01
> worker.dgroupnex02.type=ajp13
> worker.dgroupnex02.host=10.1.2.93
> worker.dgroupnex02.port=8009
> worker.dgroupnex01.type=ajp13
> worker.dgroupnex01.host=10.1.2.39
> worker.dgroupnex01.port=8009
>
> uriworkermap.properties file content:
> /S2W/*=dgroupnex02
> /s2wweb/*=dgroupnex01
> /websat/*=dgroupnex02
>
> I would like to tell you that ISAPI redirection of all virtual folders
> works perfectly. The only thing that doesn't work is sending the
> authorization type and user from IIS to Tomcat.
> The only application that needs this functionality is "s2wweb".
How did you create the s2wweb virtual directory? Please provide exact
steps. Was is created under the test site or under the jakarta virtual
directory?
To be honest, I am far from convinced that I have recreated your
configuration. Receiving the configuration bit by bit and ambiguities in
the information received (is the test site configured for anon
authentication, windows authentication or both?) makes me thing at least
one key bit of information is missing.
Can you provide the complete set of steps required to configure a clean
IIS 10 install to recreate this issue?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and
remote_user AJP heder
Posted by Paolo Clerici <cl...@gmail.com>.
> I don't see any ISAPI redirector set up there. I was expecting to see
> something like the steps described here:
> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
Yes, if I have not missed something, I think I have done everything
that is written in the document.
The only differences are that there are two sites "prod" and "test" so
the only differences for "test" are:
1) Dll folder: C:\Apache Software Foundation\Jakarta Isapi Redirector\test\bin
2) ISAPI filter name: "Jakarta Connector test" (not "tomcat")
isapi_redirect.properties file content:
extension_uri=/jakarta/isapi_redirect.dll
log_file=C:\Apache Software Foundation\Jakarta Isapi
Redirector\test\log\mod_jk.log
log_level=warn
worker_file=C:\Apache Software Foundation\Jakarta Isapi
Redirector\test\conf\workers.properties
worker_mount_file=C:\Apache Software Foundation\Jakarta Isapi
Redirector\test\conf\uriworkermap.properties
workers.properties file content:
worker.list=dgroupnex02,dgroupnex01
worker.dgroupnex02.type=ajp13
worker.dgroupnex02.host=10.1.2.93
worker.dgroupnex02.port=8009
worker.dgroupnex01.type=ajp13
worker.dgroupnex01.host=10.1.2.39
worker.dgroupnex01.port=8009
uriworkermap.properties file content:
/S2W/*=dgroupnex02
/s2wweb/*=dgroupnex01
/websat/*=dgroupnex02
I would like to tell you that ISAPI redirection of all virtual folders
works perfectly. The only thing that doesn't work is sending the
authorization type and user from IIS to Tomcat.
The only application that needs this functionality is "s2wweb".
Thanks,
Paolo
Il giorno mar 13 lug 2021 alle ore 14:44 Mark Thomas
<ma...@apache.org> ha scritto:
>
> On 13/07/2021 12:29, Paolo Clerici wrote:
> > Hi Mark,
> >
> >> How did you set up the s2wweb virtual directory?
> > Physical Path: C:\Apache Software Foundation\virtual\test\s2wweb
> > Physical Path Credential: blank
> > Physical Path Credential Logon Type: Clear Text
> > Virtual Path: /s2wweb
> > Pass-through authentication: / Connect As: / Path credentials:
> > Application user (pass-through authentication)
>
> I don't see any ISAPI redirector set up there. I was expecting to see
> something like the steps described here:
>
> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
>
> Mark
>
>
> >
> > Thanks,
> > Paolo
> > Il giorno mar 13 lug 2021 alle ore 10:27 Mark Thomas
> > <ma...@apache.org> ha scritto:
> >>
> >> On 13/07/2021 08:49, Paolo Clerici wrote:
> >>> Hi Mark,
> >>>
> >>>> Are you connecting from a machine that isn't part of the Windows AD?
> >>> I have tried both from PCs connected to AD and from PCs not connected to AD.
> >>>
> >>>> Normally, I'd expect authentication to work without any password prompt.
> >>> If I connect from PC AD I am not asked for credentials (correct). If I
> >>> connect from a non-AD PC I am prompted for credentials (correctly).
> >>> The credential check is done correctly by IIS.
> >>>
> >>>> Are any other authentication mechanisms enabled?
> >>> For virtual directory "s2wweb" only "Windows Authentication" is
> >>> enabled ("Anonymous Authentication" is disabled). For site "test" is
> >>> enabled "Anonymous Authentication".
> >>>
> >>>> Are your two test machines (working and not working) connecting to the
> >>>> same Tomcat instance (and on the same port)?
> >>> Yes.
> >>> Current IIS server needs to be migrated to a new IIS server. The
> >>> current server (Windows Server 2008 R2 with IIS 6.1) is connected to
> >>> the same Tomcat server (another Windows Server 2008 R2 with Tomcat
> >>> 7.0) on the same port (8009).
> >>
> >> Again, testing a similar setup locally works as expected. The
> >> authenticated Windows user name is passed to Tomcat.
> >>
> >> How did you set up the s2wweb virtual directory?
> >>
> >> Mark
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and
remote_user AJP heder
Posted by Mark Thomas <ma...@apache.org>.
On 13/07/2021 12:29, Paolo Clerici wrote:
> Hi Mark,
>
>> How did you set up the s2wweb virtual directory?
> Physical Path: C:\Apache Software Foundation\virtual\test\s2wweb
> Physical Path Credential: blank
> Physical Path Credential Logon Type: Clear Text
> Virtual Path: /s2wweb
> Pass-through authentication: / Connect As: / Path credentials:
> Application user (pass-through authentication)
I don't see any ISAPI redirector set up there. I was expecting to see
something like the steps described here:
http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
Mark
>
> Thanks,
> Paolo
> Il giorno mar 13 lug 2021 alle ore 10:27 Mark Thomas
> <ma...@apache.org> ha scritto:
>>
>> On 13/07/2021 08:49, Paolo Clerici wrote:
>>> Hi Mark,
>>>
>>>> Are you connecting from a machine that isn't part of the Windows AD?
>>> I have tried both from PCs connected to AD and from PCs not connected to AD.
>>>
>>>> Normally, I'd expect authentication to work without any password prompt.
>>> If I connect from PC AD I am not asked for credentials (correct). If I
>>> connect from a non-AD PC I am prompted for credentials (correctly).
>>> The credential check is done correctly by IIS.
>>>
>>>> Are any other authentication mechanisms enabled?
>>> For virtual directory "s2wweb" only "Windows Authentication" is
>>> enabled ("Anonymous Authentication" is disabled). For site "test" is
>>> enabled "Anonymous Authentication".
>>>
>>>> Are your two test machines (working and not working) connecting to the
>>>> same Tomcat instance (and on the same port)?
>>> Yes.
>>> Current IIS server needs to be migrated to a new IIS server. The
>>> current server (Windows Server 2008 R2 with IIS 6.1) is connected to
>>> the same Tomcat server (another Windows Server 2008 R2 with Tomcat
>>> 7.0) on the same port (8009).
>>
>> Again, testing a similar setup locally works as expected. The
>> authenticated Windows user name is passed to Tomcat.
>>
>> How did you set up the s2wweb virtual directory?
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and
remote_user AJP heder
Posted by Paolo Clerici <cl...@gmail.com>.
Hi Mark,
> How did you set up the s2wweb virtual directory?
Physical Path: C:\Apache Software Foundation\virtual\test\s2wweb
Physical Path Credential: blank
Physical Path Credential Logon Type: Clear Text
Virtual Path: /s2wweb
Pass-through authentication: / Connect As: / Path credentials:
Application user (pass-through authentication)
Thanks,
Paolo
Il giorno mar 13 lug 2021 alle ore 10:27 Mark Thomas
<ma...@apache.org> ha scritto:
>
> On 13/07/2021 08:49, Paolo Clerici wrote:
> > Hi Mark,
> >
> >> Are you connecting from a machine that isn't part of the Windows AD?
> > I have tried both from PCs connected to AD and from PCs not connected to AD.
> >
> >> Normally, I'd expect authentication to work without any password prompt.
> > If I connect from PC AD I am not asked for credentials (correct). If I
> > connect from a non-AD PC I am prompted for credentials (correctly).
> > The credential check is done correctly by IIS.
> >
> >> Are any other authentication mechanisms enabled?
> > For virtual directory "s2wweb" only "Windows Authentication" is
> > enabled ("Anonymous Authentication" is disabled). For site "test" is
> > enabled "Anonymous Authentication".
> >
> >> Are your two test machines (working and not working) connecting to the
> >> same Tomcat instance (and on the same port)?
> > Yes.
> > Current IIS server needs to be migrated to a new IIS server. The
> > current server (Windows Server 2008 R2 with IIS 6.1) is connected to
> > the same Tomcat server (another Windows Server 2008 R2 with Tomcat
> > 7.0) on the same port (8009).
>
> Again, testing a similar setup locally works as expected. The
> authenticated Windows user name is passed to Tomcat.
>
> How did you set up the s2wweb virtual directory?
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and
remote_user AJP heder
Posted by Mark Thomas <ma...@apache.org>.
On 13/07/2021 08:49, Paolo Clerici wrote:
> Hi Mark,
>
>> Are you connecting from a machine that isn't part of the Windows AD?
> I have tried both from PCs connected to AD and from PCs not connected to AD.
>
>> Normally, I'd expect authentication to work without any password prompt.
> If I connect from PC AD I am not asked for credentials (correct). If I
> connect from a non-AD PC I am prompted for credentials (correctly).
> The credential check is done correctly by IIS.
>
>> Are any other authentication mechanisms enabled?
> For virtual directory "s2wweb" only "Windows Authentication" is
> enabled ("Anonymous Authentication" is disabled). For site "test" is
> enabled "Anonymous Authentication".
>
>> Are your two test machines (working and not working) connecting to the
>> same Tomcat instance (and on the same port)?
> Yes.
> Current IIS server needs to be migrated to a new IIS server. The
> current server (Windows Server 2008 R2 with IIS 6.1) is connected to
> the same Tomcat server (another Windows Server 2008 R2 with Tomcat
> 7.0) on the same port (8009).
Again, testing a similar setup locally works as expected. The
authenticated Windows user name is passed to Tomcat.
How did you set up the s2wweb virtual directory?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and
remote_user AJP heder
Posted by Paolo Clerici <cl...@gmail.com>.
Hi Mark,
> Are you connecting from a machine that isn't part of the Windows AD?
I have tried both from PCs connected to AD and from PCs not connected to AD.
> Normally, I'd expect authentication to work without any password prompt.
If I connect from PC AD I am not asked for credentials (correct). If I
connect from a non-AD PC I am prompted for credentials (correctly).
The credential check is done correctly by IIS.
> Are any other authentication mechanisms enabled?
For virtual directory "s2wweb" only "Windows Authentication" is
enabled ("Anonymous Authentication" is disabled). For site "test" is
enabled "Anonymous Authentication".
> Are your two test machines (working and not working) connecting to the
> same Tomcat instance (and on the same port)?
Yes.
Current IIS server needs to be migrated to a new IIS server. The
current server (Windows Server 2008 R2 with IIS 6.1) is connected to
the same Tomcat server (another Windows Server 2008 R2 with Tomcat
7.0) on the same port (8009).
Thank you very much,
Paolo
Il giorno lun 12 lug 2021 alle ore 20:10 Mark Thomas
<ma...@apache.org> ha scritto:
>
> On 12/07/2021 07:21, Paolo Clerici wrote:
> > Hi Mark,
> > 1) Start the Internet Information Services (IIS) Manager.
> > 2) Locate and select site "test" in the IIS tree.
> > 3) Double-click the Authentication icon.
> > 4) Select Windows Authentication.
> > 5) Click Enable in the Actions menu.
> > 6) Restart IIS
> >
> > When I request the resource "https://qa-b2b.dasitgroup.it/s2wweb/" I
> > am asked for my Windows credentials.
>
> Are you connecting from a machine that isn't part of the Windows AD?
> Normally, I'd expect authentication to work without any password prompt.
>
> Are any other authentication mechanisms enabled?
>
> Are your two test machines (working and not working) connecting to the
> same Tomcat instance (and on the same port)?
>
> Mark
>
>
> >
> > Thank you,
> > Paolo
> >
> >
> > Il giorno ven 9 lug 2021 alle ore 18:56 Mark Thomas <ma...@apache.org>
> > ha scritto:
> >>
> >> On 09/07/2021 16:59, Paolo Clerici wrote:
> >>> I use IIS 10.0 as a reverse proxy of Tomcat 7.
> >>> IIS 10.0 use Windows Authentication.
> >>> When I run the javax.servlet.http.HttpServletRequest.getAuthType()
> >>> method I get the null value.
> >>> When I run the javax.servlet.http.HttpServletRequest.getRemoteUser()
> >>> method I get the null value.
> >>> Using IIS 6.1 with the same version of Tomcat everything works fine.
> >>> When I run the javax.servlet.http.HttpServletRequest.getAuthType()
> >>> method I get "NTLM" string.
> >>> When I run the javax.servlet.http.HttpServletRequest.getRemoteUser()
> >>> method I get the name of the user who authenticated with IIS.
> >>> The configuration of the two versions of IIS appears to be the same.
> >>
> >> Clearly it isn't the same since when I tested this with IIS 10.0 it
> >> worked exactly as expected.
> >>
> >>> Seems to be missing some AJP headers including: remote_user (0x03) and
> >>> auth_type (0x04) which instead are sent from IIS 6.1.
> >>>
> >>> Below isapi connector debug log (auth and user are null):
> >>> Fri Jul 09 17:00:52.743 2021] [4608:4712] [debug]
> >>> init_ws_service::jk_isapi_plugin.c (3295): Service protocol=HTTP/1.1
> >>> method=GET host=10.10.12.102 addr=10.10.12.102
> >>> name=qa-b2b.dasitgroup.it port=443 auth=(null) user=(null)
> >>> uri=/s2wweb/faces/login.xhtml
> >>
> >> That points to an IIS configuration issue.
> >> How did you configure authentication?
> >>
> >> Mark
> >>
> >>>
> >>> Product: Tomcat Connectors
> >>> Component: isapi
> >>> Version: 1.2.48
> >>> Windows version: Windows Server 2016
> >>> IIS Version: 10.0
> >>> Tomcat version: 7
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and
remote_user AJP heder
Posted by Mark Thomas <ma...@apache.org>.
On 12/07/2021 07:21, Paolo Clerici wrote:
> Hi Mark,
> 1) Start the Internet Information Services (IIS) Manager.
> 2) Locate and select site "test" in the IIS tree.
> 3) Double-click the Authentication icon.
> 4) Select Windows Authentication.
> 5) Click Enable in the Actions menu.
> 6) Restart IIS
>
> When I request the resource "https://qa-b2b.dasitgroup.it/s2wweb/" I
> am asked for my Windows credentials.
Are you connecting from a machine that isn't part of the Windows AD?
Normally, I'd expect authentication to work without any password prompt.
Are any other authentication mechanisms enabled?
Are your two test machines (working and not working) connecting to the
same Tomcat instance (and on the same port)?
Mark
>
> Thank you,
> Paolo
>
>
> Il giorno ven 9 lug 2021 alle ore 18:56 Mark Thomas <ma...@apache.org>
> ha scritto:
>>
>> On 09/07/2021 16:59, Paolo Clerici wrote:
>>> I use IIS 10.0 as a reverse proxy of Tomcat 7.
>>> IIS 10.0 use Windows Authentication.
>>> When I run the javax.servlet.http.HttpServletRequest.getAuthType()
>>> method I get the null value.
>>> When I run the javax.servlet.http.HttpServletRequest.getRemoteUser()
>>> method I get the null value.
>>> Using IIS 6.1 with the same version of Tomcat everything works fine.
>>> When I run the javax.servlet.http.HttpServletRequest.getAuthType()
>>> method I get "NTLM" string.
>>> When I run the javax.servlet.http.HttpServletRequest.getRemoteUser()
>>> method I get the name of the user who authenticated with IIS.
>>> The configuration of the two versions of IIS appears to be the same.
>>
>> Clearly it isn't the same since when I tested this with IIS 10.0 it
>> worked exactly as expected.
>>
>>> Seems to be missing some AJP headers including: remote_user (0x03) and
>>> auth_type (0x04) which instead are sent from IIS 6.1.
>>>
>>> Below isapi connector debug log (auth and user are null):
>>> Fri Jul 09 17:00:52.743 2021] [4608:4712] [debug]
>>> init_ws_service::jk_isapi_plugin.c (3295): Service protocol=HTTP/1.1
>>> method=GET host=10.10.12.102 addr=10.10.12.102
>>> name=qa-b2b.dasitgroup.it port=443 auth=(null) user=(null)
>>> uri=/s2wweb/faces/login.xhtml
>>
>> That points to an IIS configuration issue.
>> How did you configure authentication?
>>
>> Mark
>>
>>>
>>> Product: Tomcat Connectors
>>> Component: isapi
>>> Version: 1.2.48
>>> Windows version: Windows Server 2016
>>> IIS Version: 10.0
>>> Tomcat version: 7
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and
remote_user AJP heder
Posted by Paolo Clerici <cl...@gmail.com>.
Hi Mark,
1) Start the Internet Information Services (IIS) Manager.
2) Locate and select site "test" in the IIS tree.
3) Double-click the Authentication icon.
4) Select Windows Authentication.
5) Click Enable in the Actions menu.
6) Restart IIS
When I request the resource "https://qa-b2b.dasitgroup.it/s2wweb/" I
am asked for my Windows credentials.
Thank you,
Paolo
Il giorno ven 9 lug 2021 alle ore 18:56 Mark Thomas <ma...@apache.org>
ha scritto:
>
> On 09/07/2021 16:59, Paolo Clerici wrote:
> > I use IIS 10.0 as a reverse proxy of Tomcat 7.
> > IIS 10.0 use Windows Authentication.
> > When I run the javax.servlet.http.HttpServletRequest.getAuthType()
> > method I get the null value.
> > When I run the javax.servlet.http.HttpServletRequest.getRemoteUser()
> > method I get the null value.
> > Using IIS 6.1 with the same version of Tomcat everything works fine.
> > When I run the javax.servlet.http.HttpServletRequest.getAuthType()
> > method I get "NTLM" string.
> > When I run the javax.servlet.http.HttpServletRequest.getRemoteUser()
> > method I get the name of the user who authenticated with IIS.
> > The configuration of the two versions of IIS appears to be the same.
>
> Clearly it isn't the same since when I tested this with IIS 10.0 it
> worked exactly as expected.
>
> > Seems to be missing some AJP headers including: remote_user (0x03) and
> > auth_type (0x04) which instead are sent from IIS 6.1.
> >
> > Below isapi connector debug log (auth and user are null):
> > Fri Jul 09 17:00:52.743 2021] [4608:4712] [debug]
> > init_ws_service::jk_isapi_plugin.c (3295): Service protocol=HTTP/1.1
> > method=GET host=10.10.12.102 addr=10.10.12.102
> > name=qa-b2b.dasitgroup.it port=443 auth=(null) user=(null)
> > uri=/s2wweb/faces/login.xhtml
>
> That points to an IIS configuration issue.
> How did you configure authentication?
>
> Mark
>
> >
> > Product: Tomcat Connectors
> > Component: isapi
> > Version: 1.2.48
> > Windows version: Windows Server 2016
> > IIS Version: 10.0
> > Tomcat version: 7
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: IIS 10.0 as Tomcat reverse proxy does not send auth_type and
remote_user AJP heder
Posted by Mark Thomas <ma...@apache.org>.
On 09/07/2021 16:59, Paolo Clerici wrote:
> I use IIS 10.0 as a reverse proxy of Tomcat 7.
> IIS 10.0 use Windows Authentication.
> When I run the javax.servlet.http.HttpServletRequest.getAuthType()
> method I get the null value.
> When I run the javax.servlet.http.HttpServletRequest.getRemoteUser()
> method I get the null value.
> Using IIS 6.1 with the same version of Tomcat everything works fine.
> When I run the javax.servlet.http.HttpServletRequest.getAuthType()
> method I get "NTLM" string.
> When I run the javax.servlet.http.HttpServletRequest.getRemoteUser()
> method I get the name of the user who authenticated with IIS.
> The configuration of the two versions of IIS appears to be the same.
Clearly it isn't the same since when I tested this with IIS 10.0 it
worked exactly as expected.
> Seems to be missing some AJP headers including: remote_user (0x03) and
> auth_type (0x04) which instead are sent from IIS 6.1.
>
> Below isapi connector debug log (auth and user are null):
> Fri Jul 09 17:00:52.743 2021] [4608:4712] [debug]
> init_ws_service::jk_isapi_plugin.c (3295): Service protocol=HTTP/1.1
> method=GET host=10.10.12.102 addr=10.10.12.102
> name=qa-b2b.dasitgroup.it port=443 auth=(null) user=(null)
> uri=/s2wweb/faces/login.xhtml
That points to an IIS configuration issue.
How did you configure authentication?
Mark
>
> Product: Tomcat Connectors
> Component: isapi
> Version: 1.2.48
> Windows version: Windows Server 2016
> IIS Version: 10.0
> Tomcat version: 7
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org