ECP extension needed for active clients

Nate Klingenstein ndk at
Sun Sep 16 21:37:12 EDT 2012


It seems to me like the authentication process is failing, and you're  
repeatedly prompted to reauthenticate after the first authentication  
fails.  I have no idea where this authentication process would get  
logged, but the request likely never gets to the IdP at all, so no log  
entries in idp-process.log would not be surprising.  Tomcat is  
notorious for eating logs, but catalina.out (and tomcat.log) in  
Tomcat's logs directory would not be a bad guess.

You shouldn't need to configure or use Apache.  It can be used as a  
front-end for Tomcat, in which case it would be responsible for  
setting REMOTE_USER via some mechanism or module, but we don't  
recommend that deployment approach.  443 and 8443 are the only ports  
you should need open.


On Sep 16, 2012, at 23:26 , Mauro Minella wrote:

> I re-installed everything from scratch and now the situation is a  
> little clearer, but still faulty.
> To recap:
> - I installed shib idp version 2.3.5
> - I have Java 6U35 (see my previous thread "credentials not  
> recognized" that I got with version 7)
> - the ecp endpoint configured in my relying party (Office 365  
> Federation Gateway) is
> - passive authentication DOES work
> - active client (Outlook 2010) keeps presenting the password  
> request, endless
> - if I try opening the ecp endpoint above, the browser pops up a  
> dialog box with username/pwd request, which does NOT accept my  
> credentials
> - the failed ecp authentication attempts WERE logged with "ERROR:  
> REMOTE_USER not set, unable to set principal name" BEFORE I updated  
> default web.xml. After I updated it (as follows) and re-deployed/ 
> restarted tomcat, such ecp authentication requests are not tracked  
> at all
> Ideas (sorry if trivial):
> - maybe apache should be configured too, in order to require Basic  
> Auth for the ECP location?
> - is Apache contacted even by the active clients, or should I make  
> sure than another port is open, rather than 443 and 8443?

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list