Reputation: 1095
Tomcat Windows Service (Apache Commons procsrv) "The user name or password is incorrect"
I've spent 2+ days trying to get this to work and hope somebody might be able to point me in the right direction...
I am trying to run Tomcat 8 on Windows Server 2012 R2 as a service as a specific username. Due to the complexity of my application I am directly running tomcat8.exe //IS/... instead of using the service.bat script.
When the service runs I get these errors in the commons log:
[2016-05-31 18:00:14] [debug] ( prunsrv.c:1679) [ 3280] Commons Daemon procrun log initialized
[2016-05-31 18:00:14] [info] ( prunsrv.c:1683) [ 3280] Commons Daemon procrun (1.0.15.0 64-bit) started
[2016-05-31 18:00:14] [info] ( prunsrv.c:1580) [ 3280] Debugging 'CertAccordServer' service...
[2016-05-31 18:00:14] [debug] ( prunsrv.c:1374) [ 3280] Inside ServiceMain...
[2016-05-31 18:00:14] [debug] ( prunsrv.c:844 ) [ 3280] reportServiceStatusE: 2, 0, 3000, 0
[2016-05-31 18:00:14] [info] ( prunsrv.c:1127) [ 3280] Starting service...
[2016-05-31 18:00:14] [error] (rprocess.c:497 ) [ 3280] The user name or password is incorrect.
[2016-05-31 18:00:14] [error] ( prunsrv.c:1210) [ 3280] Failed to create process
[2016-05-31 18:00:14] [error] ( prunsrv.c:1210) [ 3280] The user name or password is incorrect.
[2016-05-31 18:00:14] [error] ( prunsrv.c:1536) [ 3280] ServiceStart returned 1
[2016-05-31 18:00:14] [error] ( prunsrv.c:1536) [ 3280] The user name or password is incorrect.
[2016-05-31 18:00:14] [debug] ( prunsrv.c:844 ) [ 3280] reportServiceStatusE: 1, 1066, 0, 1
[2016-05-31 18:00:14] [info] ( prunsrv.c:1582) [ 3280] Debug service finished with exit code 1
[2016-05-31 18:00:14] [error] ( prunsrv.c:1755) [ 3280] Commons Daemon procrun failed with exit value: 3 (Failed to run service as console application)
[2016-05-31 18:00:14] [error] ( prunsrv.c:1755) [ 3280] The user name or password is incorrect.
Here is the full command I use to add the service:
./tomcat8.exe \
//IS//MyServer \
--LogLevel Debug \
--Description "My service info" \
--DisplayName "My Server" \
--Install 'C:\Program Files\MyServer\tomcat\bin\tomcat8.exe' \
--LogPath 'C:\ProgramData\MyServer\tomcat\logs' \
--ServiceUser '[email protected]' \
--ServicePassword test123 \
--StdOutput auto \
--StdError auto \
--StartImage "C:\Program Files\MyServer\java\bin\java.exe" \
--Startup auto \
--StartMode exe \
--StopMode exe \
--StartParams start \
--StopParams stop \
--StartClass org.apache.catalina.startup.Bootstrap \
--StopClass org.apache.catalina.startup.Bootstrap \
--JvmOptions "-Dcmb.productdir=C:\Program Files\MyServer;-Dcmb.datadir=C:\ProgramData\MyServer;-Dcatalina.home=C:\Program Files\MyServer\tomcat;-Dcatalina.base=C:\ProgramData\MyServer\tomcat;-Djava.endorsed.dirs=C:\Program Files\MyServer\tomcat\endorsed;-Djava.io.tmpdir=C:\ProgramData\MyServer\tomcat\temp;-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager;-Djava.util.logging.config.file=C:\ProgramData\MyServer\tomcat\conf\logging.properties" \
--JvmMs 256m \
--JvmMx 1024m \
--Classpath "C:\Program Files\MyServer\tomcat\bin\bootstrap.jar;C:\Program Files\MyServer\tomcat\bin\tomcat-juli.jar;C:\ProgramData\MyServer\resource;C:\Program Files\MyServer\resource"
In place of --ServiceUser and --ServicePassword I've also tried --User and --Password. The failure is the same.
When I use --ServiceUser and go into Windows Services, find MyServer -> Properties -> LogOn -> This Account shows [email protected]. When I use --User the properties panel has This Account as blank and Local System selected.
The [email protected] is an AD account. On the local system where tomcat8 service is being added it has a group policy which gives it "Log On as a service".
I also verified that [email protected] is a valid account and the password matches by running this from a cmd prompt:
runas /noprofile /user:[email protected] notepad
Enter the password for [email protected]: test123
When I look at the Apache Commons procsrv C code I found this section which appears to be where the "Failed to create process" and then "The user name or password is incorrect" errors are triggered:
if (!LogonUserW(szUsername,
NULL,
szPassword,
bLogonAsService ? LOGON32_LOGON_SERVICE : LOGON32_LOGON_NETWORK,
LOGON32_PROVIDER_DEFAULT,
&hUser)) {
/* Logon Failed */
apxLogWrite(APXLOG_MARK_SYSERR);
return NULL;
}
I wrote a simple C program with the above code and verified that if szPassword is NULL or not a match for the AD password for [email protected] I get "The user name or password is incorrect".
I can't think of anything else to try. I'm stuck. :(
Upvotes: 1
Views: 4122
Answers (3)
Reputation: 29168
When entering commands, you should do so as Administrator. E.g. from Windows start menu, type in cmd, right click on the cmd.exe or Command Prompt it gives you, and select Run as administrator.
Install TomcatN as a service:
Just run tomcat's c:\path\to\TomcatN\bin\service.bat and give it a service name to use, i.e. Tomcat8. Or,
sc Create TomcatN binPath= "c:\path\to\TomcatN\bin\tomcatN.exe" displayName= "Apache Tomcat N"
Set the service to run as a specific user:
Most of the time you don't need this. But sometimes you need to access the Windows network as a registered user. For example, if you are taking advantage of some Active Directory functionality. It might work to use the following:
C:\path\to\tomcatN\bin\service.bat install TomcatN --user=George --password=abc123
But probably not. You can configure the service manually instead.
Manually configure the service to use a specific username and password:
From the Windows command prompt, you can use the services configurator. Some commands of interest:
sc
sc query TomcatN
sc qc TomcatN
sc config TomcatN obj= "MyHostName\George" password= "abc123"
Take care to note the space that comes after the equal signs in that last command.
Ensure the user has permissions:
Enter the gpedit.msc command. In the GUI that appears, navigate to
Local Computer Policy | ...
- Computer Configuration | ...
- Windows Settings | []Log on as a service
- Security Settings | ...
User Rights Assignment | ...
Double-click on Log on as a service and Add User or Group.... Type the shorthand for the username you want the service to use into the field, click Check Names, and press OK.
Confirm that TomcatN is running as intended:
You can use the following commands to start, stop, and check the status of the service:
net start TomcatN
net stop TomcatN
sc query TomcatN
Checking that the login works as intended
Make sure you've started the service running. Open Windows Task Manager and view the Processes tab. Click on Show processes from all users if necessary. TomcatN should be listed, with the username you specified next to it.
Credit goes to @andrewk
Resource Link:
- How do I run Tomcat service as a specific user in Windows?
- Run Tomcat Service as Different User on Windows 7
Upvotes: 0
Reputation: 13619
Looking at the Apache Commons Daemon code, I see that the only time that Tomcat actually needs the user details is when it's starting as a separate executable - i.e. when you have installed it as -StartMode exe.
Looking at the way that tomcat is normally installed in service.bat, I see that this uses the JNI form of invocation - i.e. -StartMode jvm. This will not go through the problematic path and so should avoid your user/password problem.
Alternatively, if you actually need Tomcat to run as a separate executable... You can see in the same Apache Commons code linked above that it gets all its data from a combination of the command-line and the Windows Registry. Since you have installed your service with no command-line parameters, it will try to find the user and password in the registry. In addition, since you have not specified the User or Password on installation, it won't have saved them off to the registry either. It is therefore pulling in empty values.
So, you have two possible ways that you can resolve this problem:
- Start up (and stop) in JVM mode, using
-StartMode jvmwhen you install the service. - Specify both forms of
UserandPasswordwhen installing your service. This should put the extra data into the Registry and so make it available when the service tries to start.
Upvotes: 1
Reputation: 1
You used an incorrect parameter name for your username and password.
--ServiceUser '[email protected]' --ServicePassword test123
It should be:
--User '[email protected]' --Password test123
OR
Try this https://superuser.com/a/842867
Upvotes: 0
Related Questions
- How do I get current date/time on the Windows command line in a suitable format for usage in a file/folder name?
- How do I uninstall a Windows service if the files do not exist anymore?
- Starting of Tomcat failed from Netbeans
- Tomcat 8 Failed creating Java jli.dll
- mysqldump mysql 8, on a windows server without a password in the command line
- Tomcat8 as a Windows service - listen on network socket