tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Mayr <>
Subject Windows Authentication: Issue 49318 vs 47679
Date Sun, 27 Mar 2011 18:26:58 GMT
Hello everybody,

as many others before we wanted to do single-sign-on for intranet web 
applications using integrated windows authentication (negotiate because 
IE sometimes tries NTLM instead of using plain kerberos - breaking all 
our kerberos-only experiments).

We thought that IIS would be the best choice for integrated windows 
authentication and we could pass the user via AJP (using mod_jk) to our 
tomcat instances.

Our setup:
- Windows 2008 R2 using IIS 7.5 (64bit)
- mod_jk 1.2.31
- Oracle Java 1.6 U24
- Tomcat 6.0.32

At first glance using tomcatAuthentication=false worked as expected. We 
got the remote user and started deploying an application. End of 
happiness - the application complained about a missing user-agent. That 
header was not passed to tomcat when authentication was enabled on IIS.

Some research revealed Bug 47679 - Not all headers get passed to Tomcat 
server from isapi_redirect.dll 

Today I've found Bug 49318 - add a Negotiate (Kerberos/NTLM) 
authenticator / integrate Waffle 
( The last 
comment links a new Windows Authentication How-To from Mark Thomas. 
Looks like we have already tried almost all proposed solutions:

- IIS + mod_jk:
   tried but stuck in Bug 47679. Also tried ARR to pass the user name
   as a request header from IIS to Tomcat without success
- Apache mod_ntlm: used it and we replaced it by the much more stable
   mod_auth_ntlm_winbind. NTLMv1 is also disabled on Windows 7 (default)
- Apache mod_auth_ntlm: in heavy use but stuck to Apache 2.0 and 32bit
   plattform - we couldn't get stability problems solved on Apache 2.2
   and 64bit Linux. No ongoing development.
- Apache mod_auth_sspi: till now in internal use for a very small
   project (works just fine), not sure about the future. Although
   there seems to be some new activity on 1.0.5 beta
- Waffle: found it on thursday and it is on my our todo-list for
   testing it next week

Any chances to get Bug 47679 solved? How can we help (we are admins, no 
What solutions have you deployed? Recommendations?

Thank you,

	Stefan Mayr

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message