tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Mayr <>
Subject Re: Windows Authentication: Issue 49318 vs 47679
Date Mon, 28 Mar 2011 21:31:20 GMT
Hi Mark,

Am 28.03.2011 10:49, schrieb Mark Thomas:
> On 28/03/2011 08:42, Borut Hadžialić wrote:
>> Hellos Stefan,
>> if you can't fix your problem with configuration and decide that you
>> want to solve the problem by programming, then this might help you
>> After understanding that article a developer should be able to add a
>> SPNEGO implementation (probably not the whole protocol, just as much
>> it is needed for your app) to your Tomcat application by adding some
>> filters.
> Or you could just add Spring Security to your app. I'll add that as an
> option to the new How-To.

I guess this is the classic kerberos/keytab approach (no NTLM-fallback) 
that many solutions offer.

>>> Today I've found Bug 49318 - add a Negotiate (Kerberos/NTLM) authenticator /
>>> integrate Waffle (
>>> The last comment links a new Windows Authentication How-To from Mark Thomas.
>>> Looks like we have already tried almost all proposed solutions:
> Thanks for the great feedback on the options. I put the existing how-to
> together pretty much entirely on some Google searches. I'll add your
> feedback to the how-to / maybe remove some options that don't look viable.
>>> - IIS + mod_jk:
>>>   tried but stuck in Bug 47679. Also tried ARR to pass the user name
>>>   as a request header from IIS to Tomcat without success
>>> - Apache mod_ntlm: used it and we replaced it by the much more stable
>>>   mod_auth_ntlm_winbind. NTLMv1 is also disabled on Windows 7 (default)
>>> - Apache mod_auth_ntlm: in heavy use but stuck to Apache 2.0 and 32bit
>>>   plattform - we couldn't get stability problems solved on Apache 2.2
>>>   and 64bit Linux. No ongoing development.
>>> - Apache mod_auth_sspi: till now in internal use for a very small
>>>   project (works just fine), not sure about the future. Although
>>>   there seems to be some new activity on 1.0.5 beta
>>> - Waffle: found it on thursday and it is on my our todo-list for
>>>   testing it next week
>>> Any chances to get Bug 47679 solved? How can we help (we are admins, no
>>> devs)?
>>> What solutions have you deployed? Recommendations?
> It is tricky to recommend something right now. I'm guessing you want
> something that a) works reliably and b) is likely to be supported for
> the long term. Right now Waffle probably comes closest to that. It you
> can wait a little while, I should have SPNEGO support in Tomcat 7 fairly
> soon. It may - or may not - get back-ported to Tomcat 6. It will depend
> on the eventual solution.

You're definitely right. We search for the holy grail of intranet 
authentication. a+b is a must.

The idea of using IIS with ARR in reverse proxy mode passing a username 
was dead end: Microsoft pointed us to a nice article describing HTTP 
request processing order. Rewriting a request comes before the 
authentication modul - so nothing to append to a header or request in 
the first place.
Leaves IIS with mod_jk if you can live with Bug 47679.

Our first test with Waffle is promising. Now it needs to be integrated 
and in our application for further testing.

Native SPNEGO in Tomcat sounds great. Waiting a little while depends on 
your scale of "little". Is there already some development we can follow? 
Will this use Java GSS? I never figured out how to configure this with 


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message