tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henri Gomez" <>
Subject Re: NTLMAuthenticator for Apache Tomcat 6.0.18 (Intranet within a Microsoft domain) (GOOD links to source files)
Date Fri, 14 Nov 2008 15:55:51 GMT

Thanks for these.

I'd like to see it included in the next TC release

2008/11/14 Christophe Dupriez <>:
> Hi again Tomcat Developpers!
> (Message re-re-re-sent because attached files did not went through the MailList management
program and then Outlook resent an old version of my message): SORRY!
> The patch file is accessible:
> The new authenticator class is accessible:
> I wanted to:
> * centralize the parameterization of user authentication at the container level;
> * have a simple NTLM authentication for intranet users;
> * be able to run Tomcat in a Microsoft Active Directory network where the server is secured
(absolutely no login allowed to regular users)
> There is a Microsoft "specification" (bug?) by which all LDAP binds are evaluated on
the Domain Server (like if the user was attempting to login on the Domain Server).
> It would be better to have binds evaluated as if they were originating from the LDAP
client machine (the Tomcat Server).
> To circumvent this, I have been obliged to remove the binding (the password checking)
but to ensure that it is NTLM (and nothing else) which provides the username.
> The users are therefore automatically logged with the username used to log on their PC.
> The attached patch is for current Apache Tomcat sources (6.0.18).
> It adds:
> An NTLM Authenticator: nothing to configure except in the web.xml of each application:
>   <login-config>
>       <auth-method>NTLM</auth-method>
>       <realm-name>ThisIsApassword</realm-name>
>   </login-config>
> The realm-name is the "password" which ensures that authentication is done by NTLM and
no other method.
> A very long password is strongly recommended.
> A modified JNDI Realm with new parameters:
> preAuthenticatedPassword="ThisIsApassword"
> This to suppress password checking if preAuthenticatedPassword is provided.
> userIdentification="userPrincipalName" provides a standardized username, whatever the
retrieved user name (case of complex userSearch patterns)
> userNamePrefix and userNameSuffix
> This to suppress a prefix and/or a suffix from username before returning it to the application:
good to suppress domain identification, etc.
> When you user complex userSearch pattern, this can be very useful. Example:
> userSearch="(|(sAMAccountName={0})(userPrincipalName={0}{0}))"
> userIdentification="userPrincipalName" userNamePrefix="domain\" userNameSuffix=""
> Hopes this can be useful to the community!
> Please do not hesitate to ask me what I should do to make this contribution perennial.
> Wishing you a very nice weekend,
> Christophe Dupriez
> Centre Antipoisons - Antigifcentrum
> C/o Hôpital Central de la Base Reine Astrid
>   Rue Bruyn - 1120 Bruxelles - Belgique
> tel 32-(0) fax 32-(0)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message