tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sue Roe <>
Subject IIS, Tomcat and NTLM Authentication
Date Thu, 27 Jan 2005 11:08:38 GMT


We have just upgraded our server software, running a Java application, as



IIS 4, Tomcat 4.1 - both running on same server - NT4


IIS 5, Tomcat 4.1 - both running on same server - Windows 2000


 The application is to be available to all staff, either over the Intranet
or the Internet.


An issue has arisen with NTLM authentication. We extract a users
domain\username details using NTLM Authentication, the code is listed at the
bottom of this e-mail. This mechanism worked 100% on the old configuration.
Unfortunately with the IIS server upgrade and change in OS the
authentication details do not seem to be being picked up in two scenarios. 


1.	IE 6, unless Enable Integrated Windows Authentication is disabled.
We don't really want Browser settings to affect access.
2.	IE 5! (We are trying to force client sites to upgrade to IE6, but
still why does the NTLM Authentication break down here?)


The IIS settings are as follow:

Default Web Site:         

Anonymous Access - OFF

                                    Basic Authentication - ON

                                    Integrated Windows Authentication - ON

Jakarta Virtual Directory:

Anonymous Access - ON

                                    Basic Authentication - ON

                                    Integrated Windows Authentication - ON


If anyone has had any similar experiences or knows of any other mechanism to
retrieve domain/username, it would be great to hear.






Code to Extract domain/user Details


String auth = request.getHeader("Authorization");

            if (auth == null) {


                response.setHeader("WWW-Authenticate", "NTLM");



            String domain = "";

            String username = "";

            if (auth.startsWith("NTLM ")) {

                byte[] msg = new

                int off = 0, length, offset;

                if (msg[8] == 1){

                    byte z = 0;

                    byte[] msg1 = {(byte)'N', (byte)'T', (byte)'L',
(byte)'M', (byte)'S', (byte)'S', (byte)'P',

                        z,(byte)2, z, z, z, z, z, z, z,(byte)40, z, z, z,

                        (byte)1, (byte)130, z, z,z, (byte)2, (byte)2,

                        (byte)2, z, z, z, z, z, z, z, z, z, z, z, z};

                    response.setHeader("WWW-Authenticate", "NTLM " +

                        new sun.misc.BASE64Encoder().encodeBuffer(msg1));



                } else if (msg[8] == 3) {

                    off = 30;

                    length = msg[off+17]*256 + msg[off+16];

                    offset = msg[off+19]*256 + msg[off+18];

                    String remoteHost = new String(msg, offset, length);

                    length = msg[off+1]*256 + msg[off];

                    offset = msg[off+3]*256 + msg[off+2];

                    domain = new String(msg, offset, length);

                    length = msg[off+9]*256 + msg[off+8];

                    offset = msg[off+11]*256 + msg[off+10];

                    username = new String(msg, offset, length);

                    String employeeNTLogin = domain + "\\" + username;

                    context.log("User NT Login: "+ employeeNTLogin + ":: " +
new Date(System.currentTimeMillis()));

                    session.setAttribute (Constants.DATABASE,

                    Employee userEmployee=null;

                    // 1. Get Employee Object for NT Login of User & Roles

                    try {

                        userEmployee =

                    } catch (DAOException daoex){



etc etc




The contents of this Email may be privileged and are confidential. If you are not the intended
recipient, any disclosure, copying, distribution or any action taken or omitted to be taken
in reliance on it, is prohibited and may be unlawful.

Should you wish to use Email as a mode of communication, CMi plc and its subsidiaries are
unable to guarantee the security of Email content outside of our own computer systems.

This footnote also confirms that this e-mail message has been swept by Mimesweeper for the
presence of computer viruses. Whilst we run anti-virus software, you are solely responsible
for ensuring that any  e-mail or attachment you receive is virus free. We disclaim any liability
for any damage you suffer as a consequence of receiving any virus.

Checkmate International plc (CMi)
Registered in England No 1899857 
Registered Office  4th Floor, 35 New Bridge Street, London, EC4V 6BW
Head Office Tele + 44  (0) 1993 885600
Head Office Fax  + 44  (0) 1993 885603
Web Site :

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message