tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: How can I get the user value in the request forwarded to my Tomcat in my Java app?
Date Fri, 04 Jun 2010 15:28:03 GMT

Unfortunately again, in this case we are operating at the limits of my 
own knowledge.  So your idea of calling in a real Windows authentication 
specialist may be your best bet.
See below for more details.

Savoy, Melinda wrote:
> Thanks Andre.   Appreciate the explanation.
> I downloaded Fiddler as you suggested, and meant to send this in the earlier post.

> In the RAW HEADER I get the following when I enter this URL in my IE browser:   http://scmisdev
> GET / HTTP/1.1
> Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash,
application/x-ms-application, application/x-ms-xbap, application/, application/xaml+xml,
application/msword, application/, application/, */*
> Accept-Language: en-us
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR
1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152;
.NET CLR 3.5.30729; MS-RTC LM 8)
> Accept-Encoding: gzip, deflate
> Connection: Keep-Alive
> Host: scmisdev
> In the AUTH window I see the following:
> No Proxy-Authenticate Header is present.
> WWW-Authenticate Header is present: Negotiate
> WWW-Authenticate Header is present: NTLM
This last puzzles me, because it does not match what you indicate just 
above : there does not appear to be an "Authorization: NTLM .." HTTP 
header in the request, but Fiddler2 seems to say there is.
I do not know the explanation of that.

> In the RAW window I see the following:
> HTTP/1.1 401 Unauthorized
> Content-Length: 1656
> Content-Type: text/html
> Server: Microsoft-IIS/6.0
> WWW-Authenticate: Negotiate
> WWW-Authenticate: NTLM

Here is a puzzle too (for me) : I do not understand why there are two 
distinct WWW-Authenticate headers.
Unfortunately, I don't have an IIS server handy to compare.

> Date: Fri, 04 Jun 2010 12:30:03 GMT
> Proxy-Support: Session-Based-Authentication

> <h1>You are not authorized to view this page</h1>
> You do not have permission to view this directory or page using the credentials that
you supplied because your Web browser is sending a WWW-Authenticate header field that the
Web server is not configured to accept.

This on the other hand seems clear : the IIS server is set up (for this 
"directory") to accept one mode of authentication (probably NTLM, only), 
and it gets mad because the browser is trying to authenticate using 
another method (probably this "Negotiate" method mentioned earlier).

And, it is still clear that this is an issue between the browser and the 
IIS server.  Tomcat is not yet involved here, and neither is the isapi 

One important question : when you are trying this, is your (presumably) 
Windows workstation logged into the same Windows domain as the one the 
server belongs to ?
(I mean, you are they both local in the same LAN, or are you accessing 
the server from home via some VPN or so ?)

Finally, by searching Google for
Authorization: Negotiate
I found the following, which seems to provide the beginning of an 
explanation :

At least it provides a clue as to why this HTTP header is present in the 
exchanges.  The article also provides references to further reading.
I have no idea at the moment if this is part of the problem you are 
having, but it triggers another question : is your organisation using 
Kerberos-type authentication for its Windows domain ?

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message