You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Agrawal, Suraj (CORP)" <Su...@ADP.com> on 2018/01/03 17:31:02 UTC
RE: WELCOME to users@tomcat.apache.org
Hi Team,
We are currently working on "Apache Tomcat Version 8.0.22". We are using Apache to host javacontainer for Rest calls for our Siebel application. The javacontainer is listening to Port 9001 as below-
<Connector port="9001" redirectPort="8443" connectionTimeout="20000" protocol="HTTP/1.1"/>
We are trying to setup Windows Authentication in Apache by using Reverse Proxy with IIS, and have followed the below steps as per the Apache documentation.
---Steps followed :
There are three steps to configuring IIS to provide Windows authentication. They are:
1. Configure IIS as a reverse proxy for Tomcat (see the IIS Web Server How-To).
---- This is done and working as expected
2. Configure IIS to use Windows authentication
---- This is done and working as expected
3. Configure Tomcat to use the authentication user information from IIS by setting the tomcatAuthentication attribute on the AJP connector to false. Alternatively, set the tomcatAuthorization attribute to true to allow IIS to authenticate, while Tomcat performs the authorization.
Q1 ---- We were able to configure the reverse proxy with Anon user but the Windows authentication is failing at Apache level with below error :-
Thread[http-nio-9001-exec-15,5,main] [2017-12-27 13:17:12.637] [null] Error while login : The username cannot be empty. Please select a username.
Q2 ---- Our configuration is using "HTTP" protocol, do we need to change the server.xml entry for 9001 to use AJP protocol and then add entry " tomcatAuthentication=False"
Q3 ---- Do we need to install AJP connector on top of Tomcat or its installed by default, or we do not need it for Windows Authentication.
Thanks & Regards,
Suraj Agrawal
-----Original Message-----
From: users-help@tomcat.apache.org [mailto:users-help@tomcat.apache.org]
Sent: Wednesday, January 3, 2018 12:03 PM
To: Agrawal, Suraj (CORP) <Su...@ADP.com>
Subject: WELCOME to users@tomcat.apache.org
Hi! This is the ezmlm program. I'm managing the users@tomcat.apache.org mailing list.
I'm working for my owner, who can be reached at users-owner@tomcat.apache.org.
Acknowledgment: I have added the address
suraj.agrawal@adp.com
to the users mailing list.
Welcome to users@tomcat.apache.org!
Please save this message so that you know the address you are subscribed under, in case you later want to unsubscribe or change your subscription address.
--- Administrative commands for the users list ---
I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address:
To subscribe to the list, send a message to:
<us...@tomcat.apache.org>
To remove your address from the list, send a message to:
<us...@tomcat.apache.org>
Send mail to the following for info and FAQ for this list:
<us...@tomcat.apache.org>
<us...@tomcat.apache.org>
Similar addresses exist for the digest list:
<us...@tomcat.apache.org>
<us...@tomcat.apache.org>
To get messages 123 through 145 (a maximum of 100 per request), mail:
<us...@tomcat.apache.org>
To get an index with subject and author for messages 123-456 , mail:
<us...@tomcat.apache.org>
They are always returned as sets of 100, max 2000 per request, so you'll actually get 100-499.
To receive all messages with the same subject as message 12345, send a short message to:
<us...@tomcat.apache.org>
The messages should contain one line or word of text to avoid being treated as sp@m, but I will ignore their content.
Only the ADDRESS you send to is important.
You can start a subscription for an alternate address, for example "john@host.domain", just add a hyphen and your address (with '=' instead of '@') after the command word:
<us...@tomcat.apache.org>
To stop subscription for this address, mail:
<us...@tomcat.apache.org>
In both cases, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete your subscription.
If despite following these instructions, you do not get the desired results, please contact my owner at users-owner@tomcat.apache.org. Please be patient, my owner is a lot slower than I am ;-)
--- Enclosed is a copy of the request I received.
Return-Path: <su...@adp.com>
Received: (qmail 46578 invoked by uid 99); 3 Jan 2018 17:02:40 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Jan 2018 17:02:40 +0000
Received: from localhost (localhost [127.0.0.1])
by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 0FA551805A5
for <us...@tomcat.apache.org>; Wed, 3 Jan 2018 17:02:40 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -2.311
X-Spam-Level:
X-Spam-Status: No, score=-2.311 tagged_above=-999 required=6.31
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3,
SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled
Authentication-Results: spamd3-us-west.apache.org (amavisd-new);
dkim=pass (2048-bit key) header.d=es.adp.com
Received: from mx1-lw-us.apache.org ([10.40.0.8])
by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
with ESMTP id VFHSDlZ9kk9y
for <us...@tomcat.apache.org>;
Wed, 3 Jan 2018 17:02:37 +0000 (UTC)
Received: from mail4-6.adp.com (mail4-6.adp.com [170.146.221.105])
by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 9A4315FB29
for <us...@tomcat.apache.org>; Wed, 3 Jan 2018 17:02:37 +0000 (UTC)
Received: from pps.filterd (dc2prppedgevm06.sd.adp.com [127.0.0.1])
by dc2prppedgevm06.sd.adp.com (8.16.0.21/8.16.0.21) with SMTP id w03GvxXt011778
for <us...@tomcat.apache.org>; Wed, 3 Jan 2018 11:02:31 -0600
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=es.adp.com; h=from : to : subject :
date : message-id : references : in-reply-to : content-type :
content-transfer-encoding : mime-version; s=2013-03; bh=aP5VBhFXgJhRyaRmb2T5ltGt/4Mv6AIvp4DB+4uULA0=;
b=cSpf/vMw+LoBgf6quydKf8gNyybQhXN6Wh7LWaKI3I1FNPFXpgfm3XIoIM3tqGV3BBPZ
n/FajyhvuuVMAjSaLeXMOw8HdOPObRpCPuZj8+HoBLIHCJp/v3yqDHWf+5tgPsaKoixf
xXOMrjbTSofmv26WqLXXet6L1EPvCVgzYbGbkjOCsGsThX1MznHAUPWLArnGZAICScxb
PVLzDGDi81nqGv8gDmhZufpOJL5wOz5OMpetvZRc1rA4P+MiLmCI/2dqdR+cSmnTsHWw
diV5ODor6I7RB9mGAp8VaNrLIgjxUaD4LIOqd8hqTte9HDA0HW6PR8cRlmr6BvkupSTv jQ==
Received: from dc2prmbx02p.es.ad.adp.com ([11.2.5.19])
by dc2prppedgevm06.sd.adp.com with ESMTP id 2f67w8ndn2-4
for <us...@tomcat.apache.org>; Wed, 03 Jan 2018 11:02:31 -0600
Received: from DC2PRMBX05A.ES.AD.ADP.com ([fe80::1e1:f4e3:4aed:9909]) by DC2PRMBX02P.ES.AD.ADP.com ([fe80::695f:11b4:5169:ada6%18]) with mapi id 14.03.0352.000; Wed, 3 Jan 2018 12:02:26 -0500
From: "Agrawal, Suraj (CORP)" <Su...@ADP.com>
To: "users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat.apache.org"
<us...@tomcat.apache.org>
Subject: RE: confirm subscribe to users@tomcat.apache.org
Thread-Topic: confirm subscribe to users@tomcat.apache.org
Thread-Index: AQHThLRUpZwjd7YbAkO+bYwSp9hqOqNiX7Vw
Date: Wed, 3 Jan 2018 17:02:25 +0000
Message-ID: <28...@DC2PRMBX05A.ES.AD.ADP.com>
References: <15...@tomcat.apache.org>
In-Reply-To: <15...@tomcat.apache.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [11.10.48.211]
x-originalrecipientaddress: users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat.apache.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-01-03_12:,,
signatures=0
----------------------------------------------------------------------
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: WELCOME to users@tomcat.apache.org
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
Additional suggestion : the next time, use a meaningful subject for your emails to the
list, indicating the kind of issue your are stuck with.
That will help people here to see quickly if they can respond usefully to your questions,
without having to read the whole message.
bad : hit "reply" on a previous unrelated message
bad : !! URGENT HELP NEEDED !!
bad : Problem with Tomcat !!!
good : authentication via IIS front-end proxy
good : hit "reply list" on the previous *related* message
On 04.01.2018 15:07, André Warnier (tomcat) wrote:
> Hi.
>
> On 03.01.2018 18:31, Agrawal, Suraj (CORP) wrote:
>> Hi Team,
>>
>> We are currently working on "Apache Tomcat Version 8.0.22". We are using Apache to host
>> javacontainer for Rest calls for our Siebel application. The javacontainer is listening
>> to Port 9001 as below-
>>
>> <Connector port="9001" redirectPort="8443" connectionTimeout="20000" protocol="HTTP/1.1"/>
>>
>> We are trying to setup Windows Authentication in Apache by using Reverse Proxy with IIS,
>> and have followed the below steps as per the Apache documentation.
>>
>> ---Steps followed :
>> There are three steps to configuring IIS to provide Windows authentication. They are:
>> 1. Configure IIS as a reverse proxy for Tomcat (see the IIS Web Server How-To).
>> ---- This is done and working as expected
>
> There is a bit of confusing information in the page
> http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
> in that it talks (in the title and elsewhere) of the "ISAPI redirector", but then later it
> mentions "The mod_jk module uses the AJP protocol to send requests to the Tomcat
> containers". In fact, "mod_jk" and "ISAPI redirector" are functionaly the same thing (and
> probably much the same code), but
> - mod_jk is the plugin proxy module to use with an Apache httpd webserver front-end (under
> Linux and/or Windows)
> - isapi_redirector is the plugin proxy module to use with an IIS webserver front-end
> (Windows only)
>
> But /both/ use the same protocol to talk with the back-end Tomcat, and that protocol is
> AJP, not HTTP.
> So in both cases, what they are "talking to" is the AJP Connector in Tomcat, and not the
> HTTP Connector.
>
> The AJP protocol is somewhat different from HTTP :
> - both essentially carry the same information (requests and responses)
> but
> - HTTP carries all its information back and forth in a text form as per HTTP RFC
> - AJP encodes some of this information in a binary form (a bit more efficient)
> - one of the "binary" parameters which the AJP protocol does transmit from the front-end
> to the back-end, is the authenticated user-id on the front-end, if any.
> (HTTP does not normally do this in any standard way).
>
> At the Tomcat level (the AJP Connector), the attribute "tomcatAuthentication" (true/false)
> serves to tell Tomcat to either "believe" (false) the user-id that it receives from the
> front-end through AJP, or to ignore it (true) and do its own authentication anyway.
>
> At the Tomcat level, this "tomcatAuthentication" attribute only makes sense with the AJP
> Connector (and protocol).
> See : http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Common_Attributes
> (tomcatAuthentication AND tomcatAuthorization)
>
> while here : http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Common_Attributes
> this attribute is not mentioned (so if you add it, it will simply be ignored).
>
>>
>> 2. Configure IIS to use Windows authentication
>> ---- This is done and working as expected
>>
>> 3. Configure Tomcat to use the authentication user information from IIS by setting the
>> tomcatAuthentication attribute on the AJP connector to false. Alternatively, set the
>> tomcatAuthorization attribute to true to allow IIS to authenticate, while Tomcat
>> performs the authorization.
>>
>
> Right. But on which Tomcat connector did you set this ? (HTTP or AJP ?)
>
>> Q1 ---- We were able to configure the reverse proxy with Anon user but the Windows
>> authentication is failing at Apache level with below error :-
>> Thread[http-nio-9001-exec-15,5,main] [2017-12-27 13:17:12.637] [null] Error while
>> login : The username cannot be empty. Please select a username.
>>
>
> Your problem may be there, with this "anonymous" authentication at the IIS level. Maybe
> the isapi_redirector interprets this as "no user", and transmits an empty user-id to
> Tomcat. Have you tried with a real Windows-level user-id ?
>
>
>> Q2 ---- Our configuration is using "HTTP" protocol, do we need to change the server.xml
>> entry for 9001 to use AJP protocol and then add entry " tomcatAuthentication=False"
>>
>
> Yes, probably.
>
>> Q3 ---- Do we need to install AJP connector on top of Tomcat or its installed by
>> default, or we do not need it for Windows Authentication.
>>
>
> You do need it.
> It is provided by default, but you may need to uncomment the corresponding lines in the
> server.xml file.
> Considering your previous statements above, make sure that the HTTP Connector (if any) and
> the AJP Connector (if any) use different ports.
> And on the IIS/ISAPI redirector side, make sure that the settings specify the correct
> (AJP) port.
>
> This is all quite logical, but a bit convoluted, due to the many ways in which you can use
> a front-end with Tomcat, and the many ways in which one can do
> authentication/authorization in the WWW.
>
> I have found that it often helps to draw a schema in advance, such as
>
> browser <--(1)--> front-end (2) <-----(4)---> tomcat (5)
> + proxy module (3) + Connector(6)
>
> where :
> (1) is the protocol used between the browser and the front-end http server (HTTP or HTTPS)
> (2) is the front-end webserver (Apache httpd or IIS (or others)), which can be doing its
> own authentication/authorization or not
> (3) is the proxy module add-on to (2). There are a number of possibilities here,
> depending on (2) and (4)
> (4) is the protocol used between the front-end webserver and Tomcat (HTTP, HTTPS or AJP)
> (5) is Tomcat, which can be doing its own authentication/authorization or not
> (6) is the Tomcat Connector, which depends on (3) and (4)
>
> Depending on the circumstances and on what you want to achieve in the end, the variable
> elements above allow for a lot of combinations. And that of course makes it rather
> difficult to provide a fully comprehensive, all-in-one-place documentation.
>
>
>>
>> Thanks & Regards,
>> Suraj Agrawal
>>
>>
>> -----Original Message-----
>> From: users-help@tomcat.apache.org [mailto:users-help@tomcat.apache.org]
>> Sent: Wednesday, January 3, 2018 12:03 PM
>> To: Agrawal, Suraj (CORP) <Su...@ADP.com>
>> Subject: WELCOME to users@tomcat.apache.org
>>
>> Hi! This is the ezmlm program. I'm managing the users@tomcat.apache.org mailing list.
>>
>> I'm working for my owner, who can be reached at users-owner@tomcat.apache.org.
>>
>> Acknowledgment: I have added the address
>>
>> suraj.agrawal@adp.com
>>
>> to the users mailing list.
>>
>> Welcome to users@tomcat.apache.org!
>>
>> Please save this message so that you know the address you are subscribed under, in case
>> you later want to unsubscribe or change your subscription address.
>>
>>
>> --- Administrative commands for the users list ---
>>
>> I can handle administrative requests automatically. Please do not send them to the list
>> address! Instead, send your message to the correct command address:
>>
>> To subscribe to the list, send a message to:
>> <us...@tomcat.apache.org>
>>
>> To remove your address from the list, send a message to:
>> <us...@tomcat.apache.org>
>>
>> Send mail to the following for info and FAQ for this list:
>> <us...@tomcat.apache.org>
>> <us...@tomcat.apache.org>
>>
>> Similar addresses exist for the digest list:
>> <us...@tomcat.apache.org>
>> <us...@tomcat.apache.org>
>>
>> To get messages 123 through 145 (a maximum of 100 per request), mail:
>> <us...@tomcat.apache.org>
>>
>> To get an index with subject and author for messages 123-456 , mail:
>> <us...@tomcat.apache.org>
>>
>> They are always returned as sets of 100, max 2000 per request, so you'll actually get
>> 100-499.
>>
>> To receive all messages with the same subject as message 12345, send a short message to:
>> <us...@tomcat.apache.org>
>>
>> The messages should contain one line or word of text to avoid being treated as sp@m, but
>> I will ignore their content.
>> Only the ADDRESS you send to is important.
>>
>> You can start a subscription for an alternate address, for example "john@host.domain",
>> just add a hyphen and your address (with '=' instead of '@') after the command word:
>> <us...@tomcat.apache.org>
>>
>> To stop subscription for this address, mail:
>> <us...@tomcat.apache.org>
>>
>> In both cases, I'll send a confirmation message to that address. When you receive it,
>> simply reply to it to complete your subscription.
>>
>> If despite following these instructions, you do not get the desired results, please
>> contact my owner at users-owner@tomcat.apache.org. Please be patient, my owner is a lot
>> slower than I am ;-)
>>
>> --- Enclosed is a copy of the request I received.
>>
>> Return-Path: <su...@adp.com>
>> Received: (qmail 46578 invoked by uid 99); 3 Jan 2018 17:02:40 -0000
>> Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org)
>> (209.188.14.142)
>> by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Jan 2018 17:02:40 +0000
>> Received: from localhost (localhost [127.0.0.1])
>> by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with
>> ESMTP id 0FA551805A5
>> for
>> <us...@tomcat.apache.org>;
>> Wed, 3 Jan 2018 17:02:40 +0000 (UTC)
>> X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
>> X-Spam-Flag: NO
>> X-Spam-Score: -2.311
>> X-Spam-Level:
>> X-Spam-Status: No, score=-2.311 tagged_above=-999 required=6.31
>> tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3,
>> SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled
>> Authentication-Results: spamd3-us-west.apache.org (amavisd-new);
>> dkim=pass (2048-bit key) header.d=es.adp.com
>> Received: from mx1-lw-us.apache.org ([10.40.0.8])
>> by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
>> with ESMTP id VFHSDlZ9kk9y
>> for <us...@tomcat.apache.org>;
>> Wed, 3 Jan 2018 17:02:37 +0000 (UTC)
>> Received: from mail4-6.adp.com (mail4-6.adp.com [170.146.221.105])
>> by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id
>> 9A4315FB29
>> for
>> <us...@tomcat.apache.org>;
>> Wed, 3 Jan 2018 17:02:37 +0000 (UTC)
>> Received: from pps.filterd (dc2prppedgevm06.sd.adp.com [127.0.0.1])
>> by dc2prppedgevm06.sd.adp.com (8.16.0.21/8.16.0.21) with SMTP id w03GvxXt011778
>> for
>> <us...@tomcat.apache.org>; Wed,
>> 3 Jan 2018 11:02:31 -0600
>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=es.adp.com; h=from : to : subject :
>> date : message-id : references : in-reply-to : content-type :
>> content-transfer-encoding : mime-version; s=2013-03;
>> bh=aP5VBhFXgJhRyaRmb2T5ltGt/4Mv6AIvp4DB+4uULA0=;
>> b=cSpf/vMw+LoBgf6quydKf8gNyybQhXN6Wh7LWaKI3I1FNPFXpgfm3XIoIM3tqGV3BBPZ
>> n/FajyhvuuVMAjSaLeXMOw8HdOPObRpCPuZj8+HoBLIHCJp/v3yqDHWf+5tgPsaKoixf
>> xXOMrjbTSofmv26WqLXXet6L1EPvCVgzYbGbkjOCsGsThX1MznHAUPWLArnGZAICScxb
>> PVLzDGDi81nqGv8gDmhZufpOJL5wOz5OMpetvZRc1rA4P+MiLmCI/2dqdR+cSmnTsHWw
>> diV5ODor6I7RB9mGAp8VaNrLIgjxUaD4LIOqd8hqTte9HDA0HW6PR8cRlmr6BvkupSTv jQ==
>> Received: from dc2prmbx02p.es.ad.adp.com ([11.2.5.19])
>> by dc2prppedgevm06.sd.adp.com with ESMTP id 2f67w8ndn2-4
>> for
>> <us...@tomcat.apache.org>; Wed,
>> 03 Jan 2018 11:02:31 -0600
>> Received: from DC2PRMBX05A.ES.AD.ADP.com ([fe80::1e1:f4e3:4aed:9909]) by
>> DC2PRMBX02P.ES.AD.ADP.com ([fe80::695f:11b4:5169:ada6%18]) with mapi id 14.03.0352.000;
>> Wed, 3 Jan 2018 12:02:26 -0500
>> From: "Agrawal, Suraj (CORP)" <Su...@ADP.com>
>> To: "users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat.apache.org"
>> <us...@tomcat.apache.org>
>> Subject: RE: confirm subscribe to users@tomcat.apache.org
>> Thread-Topic: confirm subscribe to users@tomcat.apache.org
>> Thread-Index: AQHThLRUpZwjd7YbAkO+bYwSp9hqOqNiX7Vw
>> Date: Wed, 3 Jan 2018 17:02:25 +0000
>> Message-ID: <28...@DC2PRMBX05A.ES.AD.ADP.com>
>> References: <15...@tomcat.apache.org>
>> In-Reply-To: <15...@tomcat.apache.org>
>> Accept-Language: en-US
>> Content-Language: en-US
>> X-MS-Has-Attach:
>> X-MS-TNEF-Correlator:
>> x-originating-ip: [11.10.48.211]
>> x-originalrecipientaddress:
>> users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat.apache.org
>> Content-Type: text/plain; charset="us-ascii"
>> Content-Transfer-Encoding: quoted-printable
>> MIME-Version: 1.0
>> X-CFilter-Loop: Reflected
>> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,,
>> definitions=2018-01-03_12:,,
>> signatures=0
>>
>> ----------------------------------------------------------------------
>> This message and any attachments are intended only for the use of the addressee and may
>> contain information that is privileged and confidential. If the reader of the message is
>> not the intended recipient or an authorized representative of the intended recipient,
>> you are hereby notified that any dissemination of this communication is strictly
>> prohibited. If you have received this communication in error, notify the sender
>> immediately by return email and delete the message and any attachments from your system.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Tomcat authentication with IIS front-end (was: WELCOME to
users@tomcat.apache.org)
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
On 08.01.2018 17:16, Agrawal, Suraj (CORP) wrote:
> Thanks Andre for the help,
>
> We are routing the request from IIS 7.5 to Apache using reverse Proxy. It seems like Apache is not allowing the authentication nor its accepting the username and password passed from IIS.
>
First a note : IIS will never forward the user password to Tomcat, for the simple reason
that IIS *does not know* the user's password. All it knows is a user-id, and that this
user-id has been verified and is valid.
Neither does Tomcat need the user's password, in the configuration which you are trying to
set up. All it gets (and needs) is the user-id forwarded by IIS, because with
'tomcatAuthentication="false"', Tomcat will "believe and accept" the user-id forwarded by
IIS/isapi_redirector, and it will not need to verify it anymore.
> -- The AJP connector details in Server to XML were uncommented as shown in below, we added tomcatAuthentication="false" and still it was failing with empty username and password error.
>
> <Connector port="8010" tomcatAuthentication="false" protocol="AJP/1.3" redirectPort="8443" />
>
That is correct, as far as the Tomcat side is concerned, and as long as the
isapi_redirector (at the IIS level), is configured to "talk to" Tomcat on that port 8010.
> -- We are currently on Apache Tomcat 8.0.22, this is installation was part of our Siebel application suite, thus could not have all the necessary connector setting installed in it. Is there a way we can check and install AJP connector on the top of Apache Tomcat we got as a part of Siebel Application.
>
> -- Also with IIS we were using [UserSpecSource = Server] and [UserSpec = REMOTE_USER], are they the correct value for Tomcat webserver as well.
>
I do not know the Siebel application suite, and I have no idea what its own requirements
may be, in terms of user authentication.
But for the sake of the following, I will assume that this application suite is a
"standard webapp", and such that if the user is already authenticated by Tomcat when the
Siebel application is called, then that is enough for Siebel, and Siebel can retrieve this
user-id from Tomcat itself.
I also have no idea what exact parameters are required at the IIS level, so that it does
effectively authenticate the user using Windows Integrated Authentication, when the
browser requests one of the URLs which is to be proxied to Tomcat.
I must say however that the "[UserSpecSource = Server] and [UserSpec = REMOTE_USER]"
parameters somehow smell wrong to me, because the "[UserSpec = REMOTE_USER]" part, seems
to indicate that it is IIS itself which would expect such a "REMOTE_USER" HTTP header to
be already present in the browser's request to IIS (which it normally is not, if you are
really using Windows authentication between the browser and IIS). But I am no expert on
IIS, so I may be wrong. All I'm saying is thus : if there is some configuration choice
that more clearly says "use Windows authentication", then use that instead.
(This seems to be a good page to start :
https://technet.microsoft.com/en-us/library/cc754628%28v=ws.10%29.aspx)
Let me re-use my little schema (and add a bit to it):
browser <--(1)--> front-end (2) <-----(4)---> tomcat (5) <---> webapp (8)
+ proxy module (3) + Connector(6)
If you are trying to use Windows Integrated Authentication (in other words, you want that
the Tomcat webapp (8) runs with a user-id which is the same as the user's Windows Domain
user-id that the user used initially to login into Windows), then :
- the user authentication should happen between the browser and the IIS front-end (2)
- this authentication will be "transparent" for the user : the user will not see any login
dialog. Instead, this login process is something which should happen automatically, in
the background, between the user's browser and the front-end webserver. (If the user sees
any kind of login dialog, it means that something is not working properly at this level).
- the normal result of this will be that IIS now knows the Windows user-id (but not the
password) of the user that is using the browser.
- then, when isapi_redirector (3) forwards this HTTP request to Tomcat (5) via AJP (4), it
will automatically encode this user-id in the forwarded request, as a "hidden parameter"
that it sends along with the proxied request.
- at the Tomcat level, the AJP Connector (6) will decode the request received from
IIS/isapi_redirector, before passing this request to the rest of the Tomcat machinery
(including the Siebel webapp (8)).
And it is at this level that, if the 'tomcatAuthentication="false"' attribute is present,
the AJP Connector will retrieve the user-id (which was encoded in the AJP request), and
will create a "Principal" in Tomcat, containing this user-id.
- and then, the webapp (8) retrieves this Principal from Tomcat, and the user-id within it.
The key conditions for all this to happen as planned are thus :
- IIS must be set up to authenticate the browser requests, using Windows Integrated
Authentication.
- the Tomcat AJP Connector must have the attribute 'tomcatAuthentication="false"' set (it
already has, so this is ok already)
- the webapp must be set up so as to retrieve the user-id from Tomcat (container-based
authentication)
To check all this, I suggest that you temporarily get rid of the "Siebel complication" and
do the following : create and install under Tomcat a simple webapp (or JSP page), which
does just one thing : retrieve the current user-id from Tomcat, and print it as a
response. Arrange for the corresponding webapp URL to be proxied by IIS to Tomcat.
And then call this webapp URL from a user browser (through IIS of course). If the setup
is correct, then when you call that webapp, it should automatically show the Windows login
user-id of the user (without any login dialog happening on the user side).
(I am a terrible Java programmer, and unfortunately unable to tell you exactly how to
create such a webapp/JSP; but someone else on this list hopefully can help).
> Thanks & Regards,
> Suraj Agrawal
>
>
> -----Original Message-----
> From: André Warnier (tomcat) [mailto:aw@ice-sa.com]
> Sent: Thursday, January 4, 2018 9:07 AM
> To: users@tomcat.apache.org
> Subject: Re: WELCOME to users@tomcat.apache.org
>
> Hi.
>
> On 03.01.2018 18:31, Agrawal, Suraj (CORP) wrote:
>> Hi Team,
>>
>> We are currently working on "Apache Tomcat Version 8.0.22". We are
>> using Apache to host javacontainer for Rest calls for our Siebel
>> application. The javacontainer is listening to Port 9001 as below-
>>
>> <Connector port="9001" redirectPort="8443" connectionTimeout="20000"
>> protocol="HTTP/1.1"/>
>>
>> We are trying to setup Windows Authentication in Apache by using Reverse Proxy with IIS, and have followed the below steps as per the Apache documentation.
>>
>> ---Steps followed :
>> There are three steps to configuring IIS to provide Windows authentication. They are:
>> 1. Configure IIS as a reverse proxy for Tomcat (see the IIS Web Server How-To).
>> ---- This is done and working as expected
>
> There is a bit of confusing information in the page http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
> in that it talks (in the title and elsewhere) of the "ISAPI redirector", but then later it mentions "The mod_jk module uses the AJP protocol to send requests to the Tomcat containers". In fact, "mod_jk" and "ISAPI redirector" are functionaly the same thing (and probably much the same code), but
> - mod_jk is the plugin proxy module to use with an Apache httpd webserver front-end (under Linux and/or Windows)
> - isapi_redirector is the plugin proxy module to use with an IIS webserver front-end (Windows only)
>
> But /both/ use the same protocol to talk with the back-end Tomcat, and that protocol is AJP, not HTTP.
> So in both cases, what they are "talking to" is the AJP Connector in Tomcat, and not the HTTP Connector.
>
> The AJP protocol is somewhat different from HTTP :
> - both essentially carry the same information (requests and responses) but
> - HTTP carries all its information back and forth in a text form as per HTTP RFC
> - AJP encodes some of this information in a binary form (a bit more efficient)
> - one of the "binary" parameters which the AJP protocol does transmit from the front-end to the back-end, is the authenticated user-id on the front-end, if any.
> (HTTP does not normally do this in any standard way).
>
> At the Tomcat level (the AJP Connector), the attribute "tomcatAuthentication" (true/false) serves to tell Tomcat to either "believe" (false) the user-id that it receives from the front-end through AJP, or to ignore it (true) and do its own authentication anyway.
>
> At the Tomcat level, this "tomcatAuthentication" attribute only makes sense with the AJP Connector (and protocol).
> See : http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Common_Attributes
> (tomcatAuthentication AND tomcatAuthorization)
>
> while here : http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Common_Attributes
> this attribute is not mentioned (so if you add it, it will simply be ignored).
>
>>
>> 2. Configure IIS to use Windows authentication
>> ---- This is done and working as expected
>>
>> 3. Configure Tomcat to use the authentication user information from IIS by setting the tomcatAuthentication attribute on the AJP connector to false. Alternatively, set the tomcatAuthorization attribute to true to allow IIS to authenticate, while Tomcat performs the authorization.
>>
>
> Right. But on which Tomcat connector did you set this ? (HTTP or AJP ?)
>
>> Q1 ---- We were able to configure the reverse proxy with Anon user but the Windows authentication is failing at Apache level with below error :-
>> Thread[http-nio-9001-exec-15,5,main] [2017-12-27 13:17:12.637] [null] Error while login : The username cannot be empty. Please select a username.
>>
>
> Your problem may be there, with this "anonymous" authentication at the IIS level. Maybe the isapi_redirector interprets this as "no user", and transmits an empty user-id to Tomcat. Have you tried with a real Windows-level user-id ?
>
>
>> Q2 ---- Our configuration is using "HTTP" protocol, do we need to change the server.xml entry for 9001 to use AJP protocol and then add entry " tomcatAuthentication=False"
>>
>
> Yes, probably.
>
>> Q3 ---- Do we need to install AJP connector on top of Tomcat or its installed by default, or we do not need it for Windows Authentication.
>>
>
> You do need it.
> It is provided by default, but you may need to uncomment the corresponding lines in the server.xml file.
> Considering your previous statements above, make sure that the HTTP Connector (if any) and the AJP Connector (if any) use different ports.
> And on the IIS/ISAPI redirector side, make sure that the settings specify the correct
> (AJP) port.
>
> This is all quite logical, but a bit convoluted, due to the many ways in which you can use a front-end with Tomcat, and the many ways in which one can do authentication/authorization in the WWW.
>
> I have found that it often helps to draw a schema in advance, such as
>
> browser <--(1)--> front-end (2) <-----(4)---> tomcat (5)
> + proxy module (3) + Connector(6)
>
> where :
> (1) is the protocol used between the browser and the front-end http server (HTTP or HTTPS)
> (2) is the front-end webserver (Apache httpd or IIS (or others)), which can be doing its own authentication/authorization or not
> (3) is the proxy module add-on to (2). There are a number of possibilities here, depending on (2) and (4)
> (4) is the protocol used between the front-end webserver and Tomcat (HTTP, HTTPS or AJP)
> (5) is Tomcat, which can be doing its own authentication/authorization or not
> (6) is the Tomcat Connector, which depends on (3) and (4)
>
> Depending on the circumstances and on what you want to achieve in the end, the variable elements above allow for a lot of combinations. And that of course makes it rather difficult to provide a fully comprehensive, all-in-one-place documentation.
>
>
>>
>> Thanks & Regards,
>> Suraj Agrawal
>>
>>
>> -----Original Message-----
>> From: users-help@tomcat.apache.org
>> [mailto:users-help@tomcat.apache.org]
>> Sent: Wednesday, January 3, 2018 12:03 PM
>> To: Agrawal, Suraj (CORP) <Su...@ADP.com>
>> Subject: WELCOME to users@tomcat.apache.org
>>
>> Hi! This is the ezmlm program. I'm managing the users@tomcat.apache.org mailing list.
>>
>> I'm working for my owner, who can be reached at users-owner@tomcat.apache.org.
>>
>> Acknowledgment: I have added the address
>>
>> suraj.agrawal@adp.com
>>
>> to the users mailing list.
>>
>> Welcome to users@tomcat.apache.org!
>>
>> Please save this message so that you know the address you are subscribed under, in case you later want to unsubscribe or change your subscription address.
>>
>>
>> --- Administrative commands for the users list ---
>>
>> I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address:
>>
>> To subscribe to the list, send a message to:
>> <us...@tomcat.apache.org>
>>
>> To remove your address from the list, send a message to:
>> <us...@tomcat.apache.org>
>>
>> Send mail to the following for info and FAQ for this list:
>> <us...@tomcat.apache.org>
>> <us...@tomcat.apache.org>
>>
>> Similar addresses exist for the digest list:
>> <us...@tomcat.apache.org>
>> <us...@tomcat.apache.org>
>>
>> To get messages 123 through 145 (a maximum of 100 per request), mail:
>> <us...@tomcat.apache.org>
>>
>> To get an index with subject and author for messages 123-456 , mail:
>> <us...@tomcat.apache.org>
>>
>> They are always returned as sets of 100, max 2000 per request, so you'll actually get 100-499.
>>
>> To receive all messages with the same subject as message 12345, send a short message to:
>> <us...@tomcat.apache.org>
>>
>> The messages should contain one line or word of text to avoid being treated as sp@m, but I will ignore their content.
>> Only the ADDRESS you send to is important.
>>
>> You can start a subscription for an alternate address, for example "john@host.domain", just add a hyphen and your address (with '=' instead of '@') after the command word:
>> <us...@tomcat.apache.org>
>>
>> To stop subscription for this address, mail:
>> <us...@tomcat.apache.org>
>>
>> In both cases, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete your subscription.
>>
>> If despite following these instructions, you do not get the desired
>> results, please contact my owner at users-owner@tomcat.apache.org.
>> Please be patient, my owner is a lot slower than I am ;-)
>>
>> --- Enclosed is a copy of the request I received.
>>
>> Return-Path: <su...@adp.com>
>> Received: (qmail 46578 invoked by uid 99); 3 Jan 2018 17:02:40 -0000
>> Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
>> by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Jan 2018
>> 17:02:40 +0000
>> Received: from localhost (localhost [127.0.0.1])
>> by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 0FA551805A5
>> for
>> <users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat
>> .apache.org>; Wed, 3 Jan 2018 17:02:40 +0000 (UTC)
>> X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
>> X-Spam-Flag: NO
>> X-Spam-Score: -2.311
>> X-Spam-Level:
>> X-Spam-Status: No, score=-2.311 tagged_above=-999 required=6.31
>> tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3,
>> SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled
>> Authentication-Results: spamd3-us-west.apache.org (amavisd-new);
>> dkim=pass (2048-bit key) header.d=es.adp.com
>> Received: from mx1-lw-us.apache.org ([10.40.0.8])
>> by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
>> with ESMTP id VFHSDlZ9kk9y
>> for <us...@tomcat.apache.org>;
>> Wed, 3 Jan 2018 17:02:37 +0000 (UTC)
>> Received: from mail4-6.adp.com (mail4-6.adp.com [170.146.221.105])
>> by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 9A4315FB29
>> for
>> <users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat
>> .apache.org>; Wed, 3 Jan 2018 17:02:37 +0000 (UTC)
>> Received: from pps.filterd (dc2prppedgevm06.sd.adp.com [127.0.0.1])
>> by dc2prppedgevm06.sd.adp.com (8.16.0.21/8.16.0.21) with SMTP id w03GvxXt011778
>> for
>> <users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat
>> .apache.org>; Wed, 3 Jan 2018 11:02:31 -0600
>> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=es.adp.com; h=from : to : subject :
>> date : message-id : references : in-reply-to : content-type :
>> content-transfer-encoding : mime-version; s=2013-03; bh=aP5VBhFXgJhRyaRmb2T5ltGt/4Mv6AIvp4DB+4uULA0=;
>> b=cSpf/vMw+LoBgf6quydKf8gNyybQhXN6Wh7LWaKI3I1FNPFXpgfm3XIoIM3tqGV3BBPZ
>> n/FajyhvuuVMAjSaLeXMOw8HdOPObRpCPuZj8+HoBLIHCJp/v3yqDHWf+5tgPsaKoixf
>> xXOMrjbTSofmv26WqLXXet6L1EPvCVgzYbGbkjOCsGsThX1MznHAUPWLArnGZAICScxb
>> PVLzDGDi81nqGv8gDmhZufpOJL5wOz5OMpetvZRc1rA4P+MiLmCI/2dqdR+cSmnTsHWw
>> diV5ODor6I7RB9mGAp8VaNrLIgjxUaD4LIOqd8hqTte9HDA0HW6PR8cRlmr6BvkupSTv
>> jQ==
>> Received: from dc2prmbx02p.es.ad.adp.com ([11.2.5.19])
>> by dc2prppedgevm06.sd.adp.com with ESMTP id 2f67w8ndn2-4
>> for
>> <users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat
>> .apache.org>; Wed, 03 Jan 2018 11:02:31 -0600
>> Received: from DC2PRMBX05A.ES.AD.ADP.com ([fe80::1e1:f4e3:4aed:9909])
>> by DC2PRMBX02P.ES.AD.ADP.com ([fe80::695f:11b4:5169:ada6%18]) with
>> mapi id 14.03.0352.000; Wed, 3 Jan 2018 12:02:26 -0500
>> From: "Agrawal, Suraj (CORP)" <Su...@ADP.com>
>> To: "users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat.apache.org"
>>
>> <users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat
>> .apache.org>
>> Subject: RE: confirm subscribe to users@tomcat.apache.org
>> Thread-Topic: confirm subscribe to users@tomcat.apache.org
>> Thread-Index: AQHThLRUpZwjd7YbAkO+bYwSp9hqOqNiX7Vw
>> Date: Wed, 3 Jan 2018 17:02:25 +0000
>> Message-ID:
>> <28...@DC2PRMBX05A.ES.AD.ADP.com>
>> References: <15...@tomcat.apache.org>
>> In-Reply-To: <15...@tomcat.apache.org>
>> Accept-Language: en-US
>> Content-Language: en-US
>> X-MS-Has-Attach:
>> X-MS-TNEF-Correlator:
>> x-originating-ip: [11.10.48.211]
>> x-originalrecipientaddress:
>> users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat.
>> apache.org
>> Content-Type: text/plain; charset="us-ascii"
>> Content-Transfer-Encoding: quoted-printable
>> MIME-Version: 1.0
>> X-CFilter-Loop: Reflected
>> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-01-03_12:,,
>> signatures=0
>>
>> ----------------------------------------------------------------------
>> This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
> ----------------------------------------------------------------------
> This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: WELCOME to users@tomcat.apache.org
Posted by "Agrawal, Suraj (CORP)" <Su...@ADP.com>.
Thanks Andre for the help,
We are routing the request from IIS 7.5 to Apache using reverse Proxy. It seems like Apache is not allowing the authentication nor its accepting the username and password passed from IIS.
-- The AJP connector details in Server to XML were uncommented as shown in below, we added tomcatAuthentication="false" and still it was failing with empty username and password error.
<Connector port="8010" tomcatAuthentication="false" protocol="AJP/1.3" redirectPort="8443" />
-- We are currently on Apache Tomcat 8.0.22, this is installation was part of our Siebel application suite, thus could not have all the necessary connector setting installed in it. Is there a way we can check and install AJP connector on the top of Apache Tomcat we got as a part of Siebel Application.
-- Also with IIS we were using [UserSpecSource = Server] and [UserSpec = REMOTE_USER], are they the correct value for Tomcat webserver as well.
Thanks & Regards,
Suraj Agrawal
-----Original Message-----
From: André Warnier (tomcat) [mailto:aw@ice-sa.com]
Sent: Thursday, January 4, 2018 9:07 AM
To: users@tomcat.apache.org
Subject: Re: WELCOME to users@tomcat.apache.org
Hi.
On 03.01.2018 18:31, Agrawal, Suraj (CORP) wrote:
> Hi Team,
>
> We are currently working on "Apache Tomcat Version 8.0.22". We are
> using Apache to host javacontainer for Rest calls for our Siebel
> application. The javacontainer is listening to Port 9001 as below-
>
> <Connector port="9001" redirectPort="8443" connectionTimeout="20000"
> protocol="HTTP/1.1"/>
>
> We are trying to setup Windows Authentication in Apache by using Reverse Proxy with IIS, and have followed the below steps as per the Apache documentation.
>
> ---Steps followed :
> There are three steps to configuring IIS to provide Windows authentication. They are:
> 1. Configure IIS as a reverse proxy for Tomcat (see the IIS Web Server How-To).
> ---- This is done and working as expected
There is a bit of confusing information in the page http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
in that it talks (in the title and elsewhere) of the "ISAPI redirector", but then later it mentions "The mod_jk module uses the AJP protocol to send requests to the Tomcat containers". In fact, "mod_jk" and "ISAPI redirector" are functionaly the same thing (and probably much the same code), but
- mod_jk is the plugin proxy module to use with an Apache httpd webserver front-end (under Linux and/or Windows)
- isapi_redirector is the plugin proxy module to use with an IIS webserver front-end (Windows only)
But /both/ use the same protocol to talk with the back-end Tomcat, and that protocol is AJP, not HTTP.
So in both cases, what they are "talking to" is the AJP Connector in Tomcat, and not the HTTP Connector.
The AJP protocol is somewhat different from HTTP :
- both essentially carry the same information (requests and responses) but
- HTTP carries all its information back and forth in a text form as per HTTP RFC
- AJP encodes some of this information in a binary form (a bit more efficient)
- one of the "binary" parameters which the AJP protocol does transmit from the front-end to the back-end, is the authenticated user-id on the front-end, if any.
(HTTP does not normally do this in any standard way).
At the Tomcat level (the AJP Connector), the attribute "tomcatAuthentication" (true/false) serves to tell Tomcat to either "believe" (false) the user-id that it receives from the front-end through AJP, or to ignore it (true) and do its own authentication anyway.
At the Tomcat level, this "tomcatAuthentication" attribute only makes sense with the AJP Connector (and protocol).
See : http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Common_Attributes
(tomcatAuthentication AND tomcatAuthorization)
while here : http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Common_Attributes
this attribute is not mentioned (so if you add it, it will simply be ignored).
>
> 2. Configure IIS to use Windows authentication
> ---- This is done and working as expected
>
> 3. Configure Tomcat to use the authentication user information from IIS by setting the tomcatAuthentication attribute on the AJP connector to false. Alternatively, set the tomcatAuthorization attribute to true to allow IIS to authenticate, while Tomcat performs the authorization.
>
Right. But on which Tomcat connector did you set this ? (HTTP or AJP ?)
> Q1 ---- We were able to configure the reverse proxy with Anon user but the Windows authentication is failing at Apache level with below error :-
> Thread[http-nio-9001-exec-15,5,main] [2017-12-27 13:17:12.637] [null] Error while login : The username cannot be empty. Please select a username.
>
Your problem may be there, with this "anonymous" authentication at the IIS level. Maybe the isapi_redirector interprets this as "no user", and transmits an empty user-id to Tomcat. Have you tried with a real Windows-level user-id ?
> Q2 ---- Our configuration is using "HTTP" protocol, do we need to change the server.xml entry for 9001 to use AJP protocol and then add entry " tomcatAuthentication=False"
>
Yes, probably.
> Q3 ---- Do we need to install AJP connector on top of Tomcat or its installed by default, or we do not need it for Windows Authentication.
>
You do need it.
It is provided by default, but you may need to uncomment the corresponding lines in the server.xml file.
Considering your previous statements above, make sure that the HTTP Connector (if any) and the AJP Connector (if any) use different ports.
And on the IIS/ISAPI redirector side, make sure that the settings specify the correct
(AJP) port.
This is all quite logical, but a bit convoluted, due to the many ways in which you can use a front-end with Tomcat, and the many ways in which one can do authentication/authorization in the WWW.
I have found that it often helps to draw a schema in advance, such as
browser <--(1)--> front-end (2) <-----(4)---> tomcat (5)
+ proxy module (3) + Connector(6)
where :
(1) is the protocol used between the browser and the front-end http server (HTTP or HTTPS)
(2) is the front-end webserver (Apache httpd or IIS (or others)), which can be doing its own authentication/authorization or not
(3) is the proxy module add-on to (2). There are a number of possibilities here, depending on (2) and (4)
(4) is the protocol used between the front-end webserver and Tomcat (HTTP, HTTPS or AJP)
(5) is Tomcat, which can be doing its own authentication/authorization or not
(6) is the Tomcat Connector, which depends on (3) and (4)
Depending on the circumstances and on what you want to achieve in the end, the variable elements above allow for a lot of combinations. And that of course makes it rather difficult to provide a fully comprehensive, all-in-one-place documentation.
>
> Thanks & Regards,
> Suraj Agrawal
>
>
> -----Original Message-----
> From: users-help@tomcat.apache.org
> [mailto:users-help@tomcat.apache.org]
> Sent: Wednesday, January 3, 2018 12:03 PM
> To: Agrawal, Suraj (CORP) <Su...@ADP.com>
> Subject: WELCOME to users@tomcat.apache.org
>
> Hi! This is the ezmlm program. I'm managing the users@tomcat.apache.org mailing list.
>
> I'm working for my owner, who can be reached at users-owner@tomcat.apache.org.
>
> Acknowledgment: I have added the address
>
> suraj.agrawal@adp.com
>
> to the users mailing list.
>
> Welcome to users@tomcat.apache.org!
>
> Please save this message so that you know the address you are subscribed under, in case you later want to unsubscribe or change your subscription address.
>
>
> --- Administrative commands for the users list ---
>
> I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address:
>
> To subscribe to the list, send a message to:
> <us...@tomcat.apache.org>
>
> To remove your address from the list, send a message to:
> <us...@tomcat.apache.org>
>
> Send mail to the following for info and FAQ for this list:
> <us...@tomcat.apache.org>
> <us...@tomcat.apache.org>
>
> Similar addresses exist for the digest list:
> <us...@tomcat.apache.org>
> <us...@tomcat.apache.org>
>
> To get messages 123 through 145 (a maximum of 100 per request), mail:
> <us...@tomcat.apache.org>
>
> To get an index with subject and author for messages 123-456 , mail:
> <us...@tomcat.apache.org>
>
> They are always returned as sets of 100, max 2000 per request, so you'll actually get 100-499.
>
> To receive all messages with the same subject as message 12345, send a short message to:
> <us...@tomcat.apache.org>
>
> The messages should contain one line or word of text to avoid being treated as sp@m, but I will ignore their content.
> Only the ADDRESS you send to is important.
>
> You can start a subscription for an alternate address, for example "john@host.domain", just add a hyphen and your address (with '=' instead of '@') after the command word:
> <us...@tomcat.apache.org>
>
> To stop subscription for this address, mail:
> <us...@tomcat.apache.org>
>
> In both cases, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete your subscription.
>
> If despite following these instructions, you do not get the desired
> results, please contact my owner at users-owner@tomcat.apache.org.
> Please be patient, my owner is a lot slower than I am ;-)
>
> --- Enclosed is a copy of the request I received.
>
> Return-Path: <su...@adp.com>
> Received: (qmail 46578 invoked by uid 99); 3 Jan 2018 17:02:40 -0000
> Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
> by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Jan 2018
> 17:02:40 +0000
> Received: from localhost (localhost [127.0.0.1])
> by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 0FA551805A5
> for
> <users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat
> .apache.org>; Wed, 3 Jan 2018 17:02:40 +0000 (UTC)
> X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
> X-Spam-Flag: NO
> X-Spam-Score: -2.311
> X-Spam-Level:
> X-Spam-Status: No, score=-2.311 tagged_above=-999 required=6.31
> tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3,
> SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled
> Authentication-Results: spamd3-us-west.apache.org (amavisd-new);
> dkim=pass (2048-bit key) header.d=es.adp.com
> Received: from mx1-lw-us.apache.org ([10.40.0.8])
> by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
> with ESMTP id VFHSDlZ9kk9y
> for <us...@tomcat.apache.org>;
> Wed, 3 Jan 2018 17:02:37 +0000 (UTC)
> Received: from mail4-6.adp.com (mail4-6.adp.com [170.146.221.105])
> by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 9A4315FB29
> for
> <users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat
> .apache.org>; Wed, 3 Jan 2018 17:02:37 +0000 (UTC)
> Received: from pps.filterd (dc2prppedgevm06.sd.adp.com [127.0.0.1])
> by dc2prppedgevm06.sd.adp.com (8.16.0.21/8.16.0.21) with SMTP id w03GvxXt011778
> for
> <users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat
> .apache.org>; Wed, 3 Jan 2018 11:02:31 -0600
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=es.adp.com; h=from : to : subject :
> date : message-id : references : in-reply-to : content-type :
> content-transfer-encoding : mime-version; s=2013-03; bh=aP5VBhFXgJhRyaRmb2T5ltGt/4Mv6AIvp4DB+4uULA0=;
> b=cSpf/vMw+LoBgf6quydKf8gNyybQhXN6Wh7LWaKI3I1FNPFXpgfm3XIoIM3tqGV3BBPZ
> n/FajyhvuuVMAjSaLeXMOw8HdOPObRpCPuZj8+HoBLIHCJp/v3yqDHWf+5tgPsaKoixf
> xXOMrjbTSofmv26WqLXXet6L1EPvCVgzYbGbkjOCsGsThX1MznHAUPWLArnGZAICScxb
> PVLzDGDi81nqGv8gDmhZufpOJL5wOz5OMpetvZRc1rA4P+MiLmCI/2dqdR+cSmnTsHWw
> diV5ODor6I7RB9mGAp8VaNrLIgjxUaD4LIOqd8hqTte9HDA0HW6PR8cRlmr6BvkupSTv
> jQ==
> Received: from dc2prmbx02p.es.ad.adp.com ([11.2.5.19])
> by dc2prppedgevm06.sd.adp.com with ESMTP id 2f67w8ndn2-4
> for
> <users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat
> .apache.org>; Wed, 03 Jan 2018 11:02:31 -0600
> Received: from DC2PRMBX05A.ES.AD.ADP.com ([fe80::1e1:f4e3:4aed:9909])
> by DC2PRMBX02P.ES.AD.ADP.com ([fe80::695f:11b4:5169:ada6%18]) with
> mapi id 14.03.0352.000; Wed, 3 Jan 2018 12:02:26 -0500
> From: "Agrawal, Suraj (CORP)" <Su...@ADP.com>
> To: "users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat.apache.org"
>
> <users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat
> .apache.org>
> Subject: RE: confirm subscribe to users@tomcat.apache.org
> Thread-Topic: confirm subscribe to users@tomcat.apache.org
> Thread-Index: AQHThLRUpZwjd7YbAkO+bYwSp9hqOqNiX7Vw
> Date: Wed, 3 Jan 2018 17:02:25 +0000
> Message-ID:
> <28...@DC2PRMBX05A.ES.AD.ADP.com>
> References: <15...@tomcat.apache.org>
> In-Reply-To: <15...@tomcat.apache.org>
> Accept-Language: en-US
> Content-Language: en-US
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> x-originating-ip: [11.10.48.211]
> x-originalrecipientaddress:
> users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat.
> apache.org
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> MIME-Version: 1.0
> X-CFilter-Loop: Reflected
> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-01-03_12:,,
> signatures=0
>
> ----------------------------------------------------------------------
> This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
----------------------------------------------------------------------
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: WELCOME to users@tomcat.apache.org
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
Hi.
On 03.01.2018 18:31, Agrawal, Suraj (CORP) wrote:
> Hi Team,
>
> We are currently working on "Apache Tomcat Version 8.0.22". We are using Apache to host javacontainer for Rest calls for our Siebel application. The javacontainer is listening to Port 9001 as below-
>
> <Connector port="9001" redirectPort="8443" connectionTimeout="20000" protocol="HTTP/1.1"/>
>
> We are trying to setup Windows Authentication in Apache by using Reverse Proxy with IIS, and have followed the below steps as per the Apache documentation.
>
> ---Steps followed :
> There are three steps to configuring IIS to provide Windows authentication. They are:
> 1. Configure IIS as a reverse proxy for Tomcat (see the IIS Web Server How-To).
> ---- This is done and working as expected
There is a bit of confusing information in the page
http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
in that it talks (in the title and elsewhere) of the "ISAPI redirector", but then later it
mentions "The mod_jk module uses the AJP protocol to send requests to the Tomcat
containers". In fact, "mod_jk" and "ISAPI redirector" are functionaly the same thing (and
probably much the same code), but
- mod_jk is the plugin proxy module to use with an Apache httpd webserver front-end (under
Linux and/or Windows)
- isapi_redirector is the plugin proxy module to use with an IIS webserver front-end
(Windows only)
But /both/ use the same protocol to talk with the back-end Tomcat, and that protocol is
AJP, not HTTP.
So in both cases, what they are "talking to" is the AJP Connector in Tomcat, and not the
HTTP Connector.
The AJP protocol is somewhat different from HTTP :
- both essentially carry the same information (requests and responses)
but
- HTTP carries all its information back and forth in a text form as per HTTP RFC
- AJP encodes some of this information in a binary form (a bit more efficient)
- one of the "binary" parameters which the AJP protocol does transmit from the front-end
to the back-end, is the authenticated user-id on the front-end, if any.
(HTTP does not normally do this in any standard way).
At the Tomcat level (the AJP Connector), the attribute "tomcatAuthentication" (true/false)
serves to tell Tomcat to either "believe" (false) the user-id that it receives from the
front-end through AJP, or to ignore it (true) and do its own authentication anyway.
At the Tomcat level, this "tomcatAuthentication" attribute only makes sense with the AJP
Connector (and protocol).
See : http://tomcat.apache.org/tomcat-8.5-doc/config/ajp.html#Common_Attributes
(tomcatAuthentication AND tomcatAuthorization)
while here : http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#Common_Attributes
this attribute is not mentioned (so if you add it, it will simply be ignored).
>
> 2. Configure IIS to use Windows authentication
> ---- This is done and working as expected
>
> 3. Configure Tomcat to use the authentication user information from IIS by setting the tomcatAuthentication attribute on the AJP connector to false. Alternatively, set the tomcatAuthorization attribute to true to allow IIS to authenticate, while Tomcat performs the authorization.
>
Right. But on which Tomcat connector did you set this ? (HTTP or AJP ?)
> Q1 ---- We were able to configure the reverse proxy with Anon user but the Windows authentication is failing at Apache level with below error :-
> Thread[http-nio-9001-exec-15,5,main] [2017-12-27 13:17:12.637] [null] Error while login : The username cannot be empty. Please select a username.
>
Your problem may be there, with this "anonymous" authentication at the IIS level. Maybe
the isapi_redirector interprets this as "no user", and transmits an empty user-id to
Tomcat. Have you tried with a real Windows-level user-id ?
> Q2 ---- Our configuration is using "HTTP" protocol, do we need to change the server.xml entry for 9001 to use AJP protocol and then add entry " tomcatAuthentication=False"
>
Yes, probably.
> Q3 ---- Do we need to install AJP connector on top of Tomcat or its installed by default, or we do not need it for Windows Authentication.
>
You do need it.
It is provided by default, but you may need to uncomment the corresponding lines in the
server.xml file.
Considering your previous statements above, make sure that the HTTP Connector (if any) and
the AJP Connector (if any) use different ports.
And on the IIS/ISAPI redirector side, make sure that the settings specify the correct
(AJP) port.
This is all quite logical, but a bit convoluted, due to the many ways in which you can use
a front-end with Tomcat, and the many ways in which one can do
authentication/authorization in the WWW.
I have found that it often helps to draw a schema in advance, such as
browser <--(1)--> front-end (2) <-----(4)---> tomcat (5)
+ proxy module (3) + Connector(6)
where :
(1) is the protocol used between the browser and the front-end http server (HTTP or HTTPS)
(2) is the front-end webserver (Apache httpd or IIS (or others)), which can be doing its
own authentication/authorization or not
(3) is the proxy module add-on to (2). There are a number of possibilities here,
depending on (2) and (4)
(4) is the protocol used between the front-end webserver and Tomcat (HTTP, HTTPS or AJP)
(5) is Tomcat, which can be doing its own authentication/authorization or not
(6) is the Tomcat Connector, which depends on (3) and (4)
Depending on the circumstances and on what you want to achieve in the end, the variable
elements above allow for a lot of combinations. And that of course makes it rather
difficult to provide a fully comprehensive, all-in-one-place documentation.
>
> Thanks & Regards,
> Suraj Agrawal
>
>
> -----Original Message-----
> From: users-help@tomcat.apache.org [mailto:users-help@tomcat.apache.org]
> Sent: Wednesday, January 3, 2018 12:03 PM
> To: Agrawal, Suraj (CORP) <Su...@ADP.com>
> Subject: WELCOME to users@tomcat.apache.org
>
> Hi! This is the ezmlm program. I'm managing the users@tomcat.apache.org mailing list.
>
> I'm working for my owner, who can be reached at users-owner@tomcat.apache.org.
>
> Acknowledgment: I have added the address
>
> suraj.agrawal@adp.com
>
> to the users mailing list.
>
> Welcome to users@tomcat.apache.org!
>
> Please save this message so that you know the address you are subscribed under, in case you later want to unsubscribe or change your subscription address.
>
>
> --- Administrative commands for the users list ---
>
> I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address:
>
> To subscribe to the list, send a message to:
> <us...@tomcat.apache.org>
>
> To remove your address from the list, send a message to:
> <us...@tomcat.apache.org>
>
> Send mail to the following for info and FAQ for this list:
> <us...@tomcat.apache.org>
> <us...@tomcat.apache.org>
>
> Similar addresses exist for the digest list:
> <us...@tomcat.apache.org>
> <us...@tomcat.apache.org>
>
> To get messages 123 through 145 (a maximum of 100 per request), mail:
> <us...@tomcat.apache.org>
>
> To get an index with subject and author for messages 123-456 , mail:
> <us...@tomcat.apache.org>
>
> They are always returned as sets of 100, max 2000 per request, so you'll actually get 100-499.
>
> To receive all messages with the same subject as message 12345, send a short message to:
> <us...@tomcat.apache.org>
>
> The messages should contain one line or word of text to avoid being treated as sp@m, but I will ignore their content.
> Only the ADDRESS you send to is important.
>
> You can start a subscription for an alternate address, for example "john@host.domain", just add a hyphen and your address (with '=' instead of '@') after the command word:
> <us...@tomcat.apache.org>
>
> To stop subscription for this address, mail:
> <us...@tomcat.apache.org>
>
> In both cases, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete your subscription.
>
> If despite following these instructions, you do not get the desired results, please contact my owner at users-owner@tomcat.apache.org. Please be patient, my owner is a lot slower than I am ;-)
>
> --- Enclosed is a copy of the request I received.
>
> Return-Path: <su...@adp.com>
> Received: (qmail 46578 invoked by uid 99); 3 Jan 2018 17:02:40 -0000
> Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
> by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Jan 2018 17:02:40 +0000
> Received: from localhost (localhost [127.0.0.1])
> by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 0FA551805A5
> for <us...@tomcat.apache.org>; Wed, 3 Jan 2018 17:02:40 +0000 (UTC)
> X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
> X-Spam-Flag: NO
> X-Spam-Score: -2.311
> X-Spam-Level:
> X-Spam-Status: No, score=-2.311 tagged_above=-999 required=6.31
> tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3,
> SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled
> Authentication-Results: spamd3-us-west.apache.org (amavisd-new);
> dkim=pass (2048-bit key) header.d=es.adp.com
> Received: from mx1-lw-us.apache.org ([10.40.0.8])
> by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
> with ESMTP id VFHSDlZ9kk9y
> for <us...@tomcat.apache.org>;
> Wed, 3 Jan 2018 17:02:37 +0000 (UTC)
> Received: from mail4-6.adp.com (mail4-6.adp.com [170.146.221.105])
> by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 9A4315FB29
> for <us...@tomcat.apache.org>; Wed, 3 Jan 2018 17:02:37 +0000 (UTC)
> Received: from pps.filterd (dc2prppedgevm06.sd.adp.com [127.0.0.1])
> by dc2prppedgevm06.sd.adp.com (8.16.0.21/8.16.0.21) with SMTP id w03GvxXt011778
> for <us...@tomcat.apache.org>; Wed, 3 Jan 2018 11:02:31 -0600
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=es.adp.com; h=from : to : subject :
> date : message-id : references : in-reply-to : content-type :
> content-transfer-encoding : mime-version; s=2013-03; bh=aP5VBhFXgJhRyaRmb2T5ltGt/4Mv6AIvp4DB+4uULA0=;
> b=cSpf/vMw+LoBgf6quydKf8gNyybQhXN6Wh7LWaKI3I1FNPFXpgfm3XIoIM3tqGV3BBPZ
> n/FajyhvuuVMAjSaLeXMOw8HdOPObRpCPuZj8+HoBLIHCJp/v3yqDHWf+5tgPsaKoixf
> xXOMrjbTSofmv26WqLXXet6L1EPvCVgzYbGbkjOCsGsThX1MznHAUPWLArnGZAICScxb
> PVLzDGDi81nqGv8gDmhZufpOJL5wOz5OMpetvZRc1rA4P+MiLmCI/2dqdR+cSmnTsHWw
> diV5ODor6I7RB9mGAp8VaNrLIgjxUaD4LIOqd8hqTte9HDA0HW6PR8cRlmr6BvkupSTv jQ==
> Received: from dc2prmbx02p.es.ad.adp.com ([11.2.5.19])
> by dc2prppedgevm06.sd.adp.com with ESMTP id 2f67w8ndn2-4
> for <us...@tomcat.apache.org>; Wed, 03 Jan 2018 11:02:31 -0600
> Received: from DC2PRMBX05A.ES.AD.ADP.com ([fe80::1e1:f4e3:4aed:9909]) by DC2PRMBX02P.ES.AD.ADP.com ([fe80::695f:11b4:5169:ada6%18]) with mapi id 14.03.0352.000; Wed, 3 Jan 2018 12:02:26 -0500
> From: "Agrawal, Suraj (CORP)" <Su...@ADP.com>
> To: "users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat.apache.org"
> <us...@tomcat.apache.org>
> Subject: RE: confirm subscribe to users@tomcat.apache.org
> Thread-Topic: confirm subscribe to users@tomcat.apache.org
> Thread-Index: AQHThLRUpZwjd7YbAkO+bYwSp9hqOqNiX7Vw
> Date: Wed, 3 Jan 2018 17:02:25 +0000
> Message-ID: <28...@DC2PRMBX05A.ES.AD.ADP.com>
> References: <15...@tomcat.apache.org>
> In-Reply-To: <15...@tomcat.apache.org>
> Accept-Language: en-US
> Content-Language: en-US
> X-MS-Has-Attach:
> X-MS-TNEF-Correlator:
> x-originating-ip: [11.10.48.211]
> x-originalrecipientaddress: users-sc.1514998812.mddjdmnglleomhdaalpi-suraj.agrawal=adp.com@tomcat.apache.org
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> MIME-Version: 1.0
> X-CFilter-Loop: Reflected
> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2018-01-03_12:,,
> signatures=0
>
> ----------------------------------------------------------------------
> This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org