You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Scrumpy Jack <pa...@bmssolutions.com> on 2008/10/18 20:08:17 UTC
Tomcat6+ISAPI+IIS+Integrated Authentication+Large User
Hi
I'm trying to resolve an issue with Integrated Authentication when a user
with a large Group Membership tries to access a site served by Tomcat via
IIS ISAPI Redirect.
For all other users, access is fine. For users with 70+ Windows groups, they
are failing to be redirected and are getting a 500 error. Basic
Authentication works fine.
Tomcat 6
IIS 6.0 on Windows 2003
ISAPI 1.2.26
32 bit
Access to IIS for the same users (i.e. with no ISAPI filter) is fine. We
have explored various Kerberos package size options in initial
troubleshooting, but once we realized that IIS alone worked fine, it now
appears that whatever is being passed to the ISAPI filter via IIS as part of
the Authentication process is exceeding some buffer. The user is prompted
for credentials (but shouldn't be) and will fail to get access regardless of
what is typed. IE classifies site as Internet, when it isn't (And doesn't
get mistrated for other users - i.e. Shows as Local Intranet and no user
prompt appears)
Can anyone point me in the direction of settings that increase buffer (?)
settings related to Integrated Authentication? Any ideas as to where I
should focus? (i.e. the ISAPI Filter config end, or Tomcat end?)
Thanks!!!
--
View this message in context: http://www.nabble.com/Tomcat6%2BISAPI%2BIIS%2BIntegrated-Authentication%2BLarge-User-tp20049325p20049325.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat6+ISAPI+IIS+Integrated Authentication+Large User
Posted by zdnagy <zd...@yahoo.com>.
Hello
have you found any solution for this problem, because we are facing exactly
with the same problem?
For every user with small group membership the redirector works fine but for
heavy users not. We got http 413 in IIS log. If we use Jakarta 2.x then we
step a little bit further because we got an authentication window but any
username/pwd pair is failing, said Permission denied. Another issue, running
browser on the server machine locally everything is fine, the problem
appears only through network access. Another issue, using IP address instead
of the server FQDN in the url everything is fine.
--
View this message in context: http://www.nabble.com/Tomcat6%2BISAPI%2BIIS%2BIntegrated-Authentication%2BLarge-User-tp20049325p24489418.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat6+ISAPI+IIS+Integrated Authentication+Large User
Posted by Martin Gainty <mg...@hotmail.com>.
Paul-
unless otherwise configured please re-xmit (or display inline) the latest of %WINDIR%/system32/LogFiles/W3SVC1/*.log
thx
Martin
______________________________________________
Disclaimer and confidentiality note
Everything in this e-mail and any attachments relates to the official business of Sender. This transmission is of a confidential nature and Sender does not endorse distribution to any party other than intended recipient. Sender does not necessarily endorse content contained within this transmission.
> Date: Thu, 30 Oct 2008 07:13:37 -0700
> From: paul.pree@bmssolutions.com
> To: users@tomcat.apache.org
> Subject: Re: Tomcat6+ISAPI+IIS+Integrated Authentication+Large User
>
>
> Hi
>
> I've uploaded a fresh log which shows only an attempted connection from an
> affected user (DOMAIN\mbn)
>
> A subsequent test with a 'normal' user produced a large log showing the
> successful connection.
>
> Thanks
> Paul
>
> Rainer Jung-3 wrote:
> >
> > Scrumpy Jack schrieb:
> >> Hi
> >> I'm trying to resolve an issue with Integrated Authentication when a user
> >> with a large Group Membership tries to access a site served by Tomcat via
> >> IIS ISAPI Redirect.
> >>
> >> For all other users, access is fine. For users with 70+ Windows groups,
> >> they
> >> are failing to be redirected and are getting a 500 error. Basic
> >> Authentication works fine.
> >> Can anyone point me in the direction of settings that increase buffer (?)
> >> settings related to Integrated Authentication? Any ideas as to where I
> >> should focus? (i.e. the ISAPI Filter config end, or Tomcat end?)
> >
> > If you can easily reproduce on a test system, set log_level to trace and
> > reproduce with a single request. Then show us your log_file.
> >
> > It is possible, that the informagtion gets forwarded via http headers.
> > The AJP protocol used between the isapi redirector and Tomcat needs to
> > send all http headers in a single AJP packet. The default maximum size
> > of the packet is 8KB. Recent versions of the redirector and of Tomcat
> > are able to use a higher value. But let's first check, if this is
> > actually the problem you are runnning into.
> >
> > Regards,
> >
> > Rainer
> >
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> >
> http://www.nabble.com/file/p20242376/Log%2BExcerpt.txt Log+Excerpt.txt
>
> http://www.nabble.com/file/p20247837/error_MaryBeth_isapi_redirect.log
> error_MaryBeth_isapi_redirect.log
> --
> View this message in context: http://www.nabble.com/Tomcat6%2BISAPI%2BIIS%2BIntegrated-Authentication%2BLarge-User-tp20049325p20247837.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
_________________________________________________________________
Store, manage and share up to 5GB with Windows Live SkyDrive.
http://skydrive.live.com/welcome.aspx?provision=1?ocid=TXT_TAGLM_WL_skydrive_102008
Re: Tomcat6+ISAPI+IIS+Integrated Authentication+Large User
Posted by Scrumpy Jack <pa...@bmssolutions.com>.
Hi
I've uploaded a fresh log which shows only an attempted connection from an
affected user (DOMAIN\mbn)
A subsequent test with a 'normal' user produced a large log showing the
successful connection.
Thanks
Paul
Rainer Jung-3 wrote:
>
> Scrumpy Jack schrieb:
>> Hi
>> I'm trying to resolve an issue with Integrated Authentication when a user
>> with a large Group Membership tries to access a site served by Tomcat via
>> IIS ISAPI Redirect.
>>
>> For all other users, access is fine. For users with 70+ Windows groups,
>> they
>> are failing to be redirected and are getting a 500 error. Basic
>> Authentication works fine.
>> Can anyone point me in the direction of settings that increase buffer (?)
>> settings related to Integrated Authentication? Any ideas as to where I
>> should focus? (i.e. the ISAPI Filter config end, or Tomcat end?)
>
> If you can easily reproduce on a test system, set log_level to trace and
> reproduce with a single request. Then show us your log_file.
>
> It is possible, that the informagtion gets forwarded via http headers.
> The AJP protocol used between the isapi redirector and Tomcat needs to
> send all http headers in a single AJP packet. The default maximum size
> of the packet is 8KB. Recent versions of the redirector and of Tomcat
> are able to use a higher value. But let's first check, if this is
> actually the problem you are runnning into.
>
> Regards,
>
> Rainer
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
http://www.nabble.com/file/p20242376/Log%2BExcerpt.txt Log+Excerpt.txt
http://www.nabble.com/file/p20247837/error_MaryBeth_isapi_redirect.log
error_MaryBeth_isapi_redirect.log
--
View this message in context: http://www.nabble.com/Tomcat6%2BISAPI%2BIIS%2BIntegrated-Authentication%2BLarge-User-tp20049325p20247837.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat6+ISAPI+IIS+Integrated Authentication+Large User
Posted by Scrumpy Jack <pa...@bmssolutions.com>.
Hi
Unfortunately the log I've uploaded isn't quite what you asked for. We have
little access or control over the remote system, so this is just the start
of the log. There are too many accesses in between to isolate the point
where the failing user tries to connect - other than to say it doesn't even
appear to make it to the logs (The access time was recorded by the user, but
nothing appears in the ISAPI log at that time)
A second site with the same issue is trying to get a clean log with only the
failing user entry in it. This may come through in the next few days.
It does seem that the 8k http header limit is our most likely culprit. Are
you able to share how I increase this as that will be easy for me to have
tested? Am happy to test whatever values you recommend that will hopefully
confirm this is the right area to focus - I just haven't found a reference
to this setting anywhere.
Thanks
Paul
Rainer Jung-3 wrote:
>
> Scrumpy Jack schrieb:
>> Hi
>> I'm trying to resolve an issue with Integrated Authentication when a user
>> with a large Group Membership tries to access a site served by Tomcat via
>> IIS ISAPI Redirect.
>>
>> For all other users, access is fine. For users with 70+ Windows groups,
>> they
>> are failing to be redirected and are getting a 500 error. Basic
>> Authentication works fine.
>> Can anyone point me in the direction of settings that increase buffer (?)
>> settings related to Integrated Authentication? Any ideas as to where I
>> should focus? (i.e. the ISAPI Filter config end, or Tomcat end?)
>
> If you can easily reproduce on a test system, set log_level to trace and
> reproduce with a single request. Then show us your log_file.
>
> It is possible, that the informagtion gets forwarded via http headers.
> The AJP protocol used between the isapi redirector and Tomcat needs to
> send all http headers in a single AJP packet. The default maximum size
> of the packet is 8KB. Recent versions of the redirector and of Tomcat
> are able to use a higher value. But let's first check, if this is
> actually the problem you are runnning into.
>
> Regards,
>
> Rainer
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
http://www.nabble.com/file/p20242376/Log%2BExcerpt.txt Log+Excerpt.txt
--
View this message in context: http://www.nabble.com/Tomcat6%2BISAPI%2BIIS%2BIntegrated-Authentication%2BLarge-User-tp20049325p20242376.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat6+ISAPI+IIS+Integrated Authentication+Large User
Posted by Rainer Jung <ra...@kippdata.de>.
Scrumpy Jack schrieb:
> Hi
> I'm trying to resolve an issue with Integrated Authentication when a user
> with a large Group Membership tries to access a site served by Tomcat via
> IIS ISAPI Redirect.
>
> For all other users, access is fine. For users with 70+ Windows groups, they
> are failing to be redirected and are getting a 500 error. Basic
> Authentication works fine.
>
> Tomcat 6
> IIS 6.0 on Windows 2003
> ISAPI 1.2.26
> 32 bit
>
> Access to IIS for the same users (i.e. with no ISAPI filter) is fine. We
> have explored various Kerberos package size options in initial
> troubleshooting, but once we realized that IIS alone worked fine, it now
> appears that whatever is being passed to the ISAPI filter via IIS as part of
> the Authentication process is exceeding some buffer. The user is prompted
> for credentials (but shouldn't be) and will fail to get access regardless of
> what is typed. IE classifies site as Internet, when it isn't (And doesn't
> get mistrated for other users - i.e. Shows as Local Intranet and no user
> prompt appears)
>
> Can anyone point me in the direction of settings that increase buffer (?)
> settings related to Integrated Authentication? Any ideas as to where I
> should focus? (i.e. the ISAPI Filter config end, or Tomcat end?)
If you can easily reproduce on a test system, set log_level to trace and
reproduce with a single request. Then show us your log_file.
It is possible, that the informagtion gets forwarded via http headers.
The AJP protocol used between the isapi redirector and Tomcat needs to
send all http headers in a single AJP packet. The default maximum size
of the packet is 8KB. Recent versions of the redirector and of Tomcat
are able to use a higher value. But let's first check, if this is
actually the problem you are runnning into.
Regards,
Rainer
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org