tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael B Allen <>
Subject Kerberos Delegation w/ ISAPI?
Date Thu, 07 Sep 2006 14:30:32 GMT
I have a Kerberos delegation issue caused by the separation of IIS worker
processes and the Tomcat server on Windows.

Specifically, the customer is running Tomcat through ISAPI on Windows with
ISS using Integrated Windows Authentication (Kerberos). Authentication
is working. The getRemoteUser method returns the user's expected
identity. Delegation is working. An ASP can use the clients credentials to
request another protected page on a second IIS server. Note, impersonation
is not used in any way shape or form (nor would it work).

I put together a Kerberos capable HTTP client and tried to invoke it
through the IIS authenticated Servlet. This does not work. The JGSS
routines cannot find the delegated ticket (TGT).

I believe this is because Windows' credential caches are per logon
session and IIS creates a new logon session for each authentication [1].

So, my question is, does Tomcat's ISAPI dll provide any mechainsm
that might assist in getting delegated Kerberos credentials of clients
authenticated using IIS's IWA?

Has anyone encountered this issue before?

Has anyone considered using GSSContext.export() and
GSSManager.createContext() to export the Kerberos ticket and transfer
it to the Tomcat worker? Or one might call LsaGetLogonSessionData [2]
directly to make things as effecient as possible.

This would be a nice feature as there are many pure MS SSO shops that
don't like the idea of running Tomcat stand alone.

Any comments are greatly appreciated.


[1] Actually I'm not entirely certain about the logon session partitioning
in the IIS scenario but it suffices to say Tomcat cannot access that
logon session.

[2] The MIT kfw source is a good reference for directly querying the
Windows credential cache.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message