Tomcat Windows 服务（Apache Commons procsrv）“用户名或密码不正确”

Question

I've spent 2+ days trying to get this to work and hope somebody might be able to point me in the right direction...

I am trying to run Tomcat 8 on Windows Server 2012 R2 as a service as a specific username. Due to the complexity of my application I am directly running tomcat8.exe //IS/... instead of using the service.bat script.

When the service runs I get these errors in the commons log:

[2016-05-31 18:00:14] [debug] ( prunsrv.c:1679) [ 3280] Commons Daemon procrun log initialized
[2016-05-31 18:00:14] [info]  ( prunsrv.c:1683) [ 3280] Commons Daemon procrun (1.0.15.0 64-bit) started
[2016-05-31 18:00:14] [info]  ( prunsrv.c:1580) [ 3280] Debugging 'CertAccordServer' service...
[2016-05-31 18:00:14] [debug] ( prunsrv.c:1374) [ 3280] Inside ServiceMain...
[2016-05-31 18:00:14] [debug] ( prunsrv.c:844 ) [ 3280] reportServiceStatusE: 2, 0, 3000, 0
[2016-05-31 18:00:14] [info]  ( prunsrv.c:1127) [ 3280] Starting service...
[2016-05-31 18:00:14] [error] (rprocess.c:497 ) [ 3280] The user name or password is incorrect.
[2016-05-31 18:00:14] [error] ( prunsrv.c:1210) [ 3280] Failed to create process
[2016-05-31 18:00:14] [error] ( prunsrv.c:1210) [ 3280] The user name or password is incorrect.
[2016-05-31 18:00:14] [error] ( prunsrv.c:1536) [ 3280] ServiceStart returned 1
[2016-05-31 18:00:14] [error] ( prunsrv.c:1536) [ 3280] The user name or password is incorrect.
[2016-05-31 18:00:14] [debug] ( prunsrv.c:844 ) [ 3280] reportServiceStatusE: 1, 1066, 0, 1
[2016-05-31 18:00:14] [info]  ( prunsrv.c:1582) [ 3280] Debug service finished with exit code 1
[2016-05-31 18:00:14] [error] ( prunsrv.c:1755) [ 3280] Commons Daemon procrun failed with exit value: 3 (Failed to run service as console application)
[2016-05-31 18:00:14] [error] ( prunsrv.c:1755) [ 3280] The user name or password is incorrect.

Here is the full command I use to add the service:

./tomcat8.exe \
  //IS//MyServer \
 --LogLevel Debug \
  --Description "My service info" \
  --DisplayName "My Server" \
  --Install 'C:\Program Files\MyServer\tomcat\bin\tomcat8.exe' \
  --LogPath 'C:\ProgramData\MyServer\tomcat\logs' \
  --ServiceUser 'myuser@contoso.com' \
  --ServicePassword test123 \
  --StdOutput auto \
  --StdError auto \
  --StartImage "C:\Program Files\MyServer\java\bin\java.exe" \
  --Startup auto \
  --StartMode exe \
  --StopMode exe \
  --StartParams start \
  --StopParams stop \
  --StartClass org.apache.catalina.startup.Bootstrap \
  --StopClass org.apache.catalina.startup.Bootstrap \
  --JvmOptions "-Dcmb.productdir=C:\Program Files\MyServer;-Dcmb.datadir=C:\ProgramData\MyServer;-Dcatalina.home=C:\Program Files\MyServer\tomcat;-Dcatalina.base=C:\ProgramData\MyServer\tomcat;-Djava.endorsed.dirs=C:\Program Files\MyServer\tomcat\endorsed;-Djava.io.tmpdir=C:\ProgramData\MyServer\tomcat\temp;-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager;-Djava.util.logging.config.file=C:\ProgramData\MyServer\tomcat\conf\logging.properties" \
  --JvmMs 256m \
  --JvmMx 1024m \
  --Classpath "C:\Program Files\MyServer\tomcat\bin\bootstrap.jar;C:\Program Files\MyServer\tomcat\bin\tomcat-juli.jar;C:\ProgramData\MyServer\resource;C:\Program Files\MyServer\resource"

In place of --ServiceUser and --ServicePassword I've also tried --User and --Password. The failure is the same.

When I use --ServiceUser and go into Windows Services, find MyServer -> Properties -> LogOn -> This Account shows myuser@contoso.com. When I use --User the properties panel has This Account as blank and Local System selected.

The myuser@contoso.com is an AD account. On the local system where tomcat8 service is being added it has a group policy which gives it "Log On as a service".

I also verified that myuser@contoso.com is a valid account and the password matches by running this from a cmd prompt:

runas /noprofile /user:myuser@contoso.com notepad
Enter the password for myuser@contoso.com: test123

When I look at the Apache Commons procsrv C code I found this section which appears to be where the "Failed to create process" and then "The user name or password is incorrect" errors are triggered:

  if (!LogonUserW(szUsername,
                    NULL,
                    szPassword,
                    bLogonAsService ? LOGON32_LOGON_SERVICE : LOGON32_LOGON_NETWORK,
                    LOGON32_PROVIDER_DEFAULT,
                    &hUser)) {
        /* Logon Failed */
        apxLogWrite(APXLOG_MARK_SYSERR);
        return NULL;
    }

I wrote a simple C program with the above code and verified that if szPassword is NULL or not a match for the AD password for myuser@contoso.com I get "The user name or password is incorrect".

I can't think of anything else to try. I'm stuck. :(

Answer 1

Looking at the Apache Commons Daemon code , I see that the only time that Tomcat actually needs the user details is when it's starting as a separate executable - ie when you have installed it as -StartMode exe .

Looking at the way that tomcat is normally installed in service.bat , I see that this uses the JNI form of invocation - ie -StartMode jvm . This will not go through the problematic path and so should avoid your user/password problem.

Alternatively, if you actually need Tomcat to run as a separate executable... You can see in the same Apache Commons code linked above that it gets all its data from a combination of the command-line and the Windows Registry. Since you have installed your service with no command-line parameters, it will try to find the user and password in the registry. In addition, since you have not specified the User or Password on installation, it won't have saved them off to the registry either. It is therefore pulling in empty values.

So, you have two possible ways that you can resolve this problem:

1. Start up (and stop) in JVM mode, using -StartMode jvm when you install the service.
2. Specify both forms of User and Password when installing your service. This should put the extra data into the Registry and so make it available when the service tries to start.

Answer 2

When entering commands, you should do so as Administrator. Eg from Windows start menu, type in cmd , right click on the cmd.exe or Command Prompt it gives you, and select Run as administrator .

Install TomcatN as a service:

Just run tomcat's c:\\path\\to\\TomcatN\\bin\\service.bat and give it a service name to use, ie Tomcat8 . Or,

sc Create TomcatN binPath= "c:\path\to\TomcatN\bin\tomcatN.exe" displayName= "Apache Tomcat N"

Set the service to run as a specific user:

Most of the time you don't need this. But sometimes you need to access the Windows network as a registered user. For example, if you are taking advantage of some Active Directory functionality. It might work to use the following:

C:\path\to\tomcatN\bin\service.bat install TomcatN --user=George --password=abc123

But probably not. You can configure the service manually instead.

Manually configure the service to use a specific username and password:

From the Windows command prompt, you can use the services configurator. Some commands of interest:

sc
sc query TomcatN
sc qc TomcatN
sc config TomcatN obj= "MyHostName\George" password= "abc123"

Take care to note the space that comes after the equal signs in that last command.

Ensure the user has permissions:

Enter the gpedit.msc command. In the GUI that appears, navigate to

Local Computer Policy                  | ...
    - Computer Configuration           | ...
        - Windows Settings             | []Log on as a service
            - Security Settings        | ...
                User Rights Assignment | ...

Double-click on Log on as a service and Add User or Group.... Type the shorthand for the username you want the service to use into the field, click Check Names , and press OK .

Confirm that TomcatN is running as intended:

You can use the following commands to start, stop, and check the status of the service:

net start TomcatN
net stop TomcatN
sc query TomcatN

Checking that the login works as intended

Make sure you've started the service running. Open Windows Task Manager and view the Processes tab. Click on Show processes from all users if necessary. TomcatN should be listed, with the username you specified next to it.

Credit goes to @ andrewk

Resource Link:

1. How do I run Tomcat service as a specific user in Windows?
2. Run Tomcat Service as Different User on Windows 7

Answer 3

You used an incorrect parameter name for your username and password.

--ServiceUser 'myuser@contoso.com' --ServicePassword test123

It should be:

--User 'myuser@contoso.com' --Password test123

OR

Try this https://superuser.com/a/842867