Debugging suggestions

Aug 25, 2016 at 9:35 AM
Hello,
I tried to look at most of the documentation I found, but I cannot find an answer.
I am the system administrator, not the developper.

I have two environments (PreProduction and Production) that are set up very similarly (I would say identical, but it seems not :( ). The installation of Tomcat (7.0.70) has been done by copying the whole directory tree and modifying the configs and key/certificates as needed.

The service user needed to connect to Active Directory are different (one for PreProd and one for Prod), but their setup has been verified and is consistent (setspn points to the correct servers), DNS entries are correct and the passwords used have also been verified.

The application includes spnego libraries, and the setup is done at installation time through tags substitution.

What makes me wonder is... in Prod SingleSignOn works like a charm, but in PreProd not. I tried to check all differences I could find, but I am seeking new ideas about new or alternative (to me) debugging methods to follow in order to find the issue.

All suggestions are welcome.
Aivan18
Coordinator
Sep 4, 2016 at 6:01 PM
Hello,
Are the two tomcat services installed on two servers or on the same windows server?
Dominique
Sep 5, 2016 at 7:08 AM
Hello,
 the tomcat services are running on two separate Linux (SLES 11 sp 4) servers.
Bye
Aivan18
Coordinator
Sep 5, 2016 at 10:44 AM
Hello,
I suppose you use 2 windows services running with two different accounts. Each SPN is mapped to one windows account.
Each windows service is running with one of the two accounts.
You can have debug information on tomcat and on the negoserver. Have you log of tomcat and negoserver?

Remark: It is possible to use only one windows service with many tomcat server. You have only to define two SPN with the same windows account.
You can map the two SPN to the name of the server where negoserver is running and the windows service can be running with the account NETWORK SERVICE.
I cannot test today. I have no server with me and I am in holiday in a very very little town.
Dominique
Sep 6, 2016 at 8:40 AM
Hello,
I already checked on all tomcat logs, and cannot find anyting useful, you mention a "negoserver", but what I have is simply a library used by the Tomcat hosted webapps. 
In the application's log I have lines like the following:

05.09.2016 14:05:06.425 FINE net.sourceforge.spnego.SpnegoProvider.getUsernamePasswordHandler username=XXXXXX; password=123456789

While on catalina.out I have:
Aug 29, 2016 8:29:05 AM net.sourceforge.spnego.SpnegoAuthenticator <init> FINE: config=allowBasic=true; allowUnsecure=true; canUseKeyTab=false; clientLoginModule=spnego-client; serverLoginModule=spnego-server
Aug 29, 2016 8:29:05 AM net.sourceforge.spnego.SpnegoProvider getUsernamePasswordHandler FINE: username=serviceUser; password=987654321

On the Domain Controllers I can see that the serviceUser is authorized for all the application servers involved, and the password is correct

To complete my description, the Tomcat servers are hosted on SuSE Linux servers, and these are very similar (should be identical, but I am starting to doubt it :/ ) between the working one and the not working one.

Thank you for your suggestions
Aivan18
Coordinator
Sep 9, 2016 at 1:31 PM
Edited Sep 9, 2016 at 1:32 PM
Hello
I developed a solution in java with the Jdk6.
But I wanted to use the groups defined in AD as tomcat roles without to use LDAP.
So I rewrote the code in a DLL Windows. The advantages were
The configuration on windows was more simple and NTLM could be also used. When tomcat is running with the account SYSTEM (or better for the security, NETWORK SERVICE, you do not have to define a SPN.
The tomcat roles were translated on the first request in SID (like gid or uid on unix). So after this translation, the server does not have to communicate with the AD server when NTLM is not used.
The tomcat roles can be associate with Global groups of the domains where are defined the accounts of the users, the Local domain groups where is defined the windows server and the local groups defined on the server 
So, you can install a tomcat if you cannot touch AD
But there was an evident default: it was not possible to use tomcat on Unix
So I added a solution with a windows service (Negoserver). Tomcat communicate with this service via TCP. When this service is running on the same server as tomcat, the configuration was always very simple.
This solution could be used when tomcat is running on Unix (I tested with Linux and IBM Aix. Something else tested this solution on the Solaris).
In this case, you have to define a SPN associate with the DNS name of the tomcat service and the account used by the negoserver service running on a windows server. But the configuration is easy.

You do not use this solution. You use the project defined on sourceforge and not tomcatspnego given on codeplex.

Dominique
Sep 12, 2016 at 8:26 AM
Oh, sorry. I did not notice I was on the wrong forum.

Thank you
Aivan18