tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Borut Hadžialić <>
Subject Re: Windows Authentication: Issue 49318 vs 47679
Date Mon, 28 Mar 2011 07:42:24 GMT
Hellos Stefan,

if you can't fix your problem with configuration and decide that you
want to solve the problem by programming, then this might help you
After understanding that article a developer should be able to add a
SPNEGO implementation (probably not the whole protocol, just as much
it is needed for your app) to your Tomcat application by adding some
What the implementation needs to do is basically:
 1. If there is a 'Negotiate ..' http header or other authentication,
read it and process it.

 2. Otherwise if there is no authentication, send a spnego challenge
        //HttpServletResponse response
        response.addHeader("WWW-Authenticate", "Negotiate");

On Sun, Mar 27, 2011 at 8:26 PM, Stefan Mayr <> wrote:
> Hello everybody,
> as many others before we wanted to do single-sign-on for intranet web
> applications using integrated windows authentication (negotiate because IE
> sometimes tries NTLM instead of using plain kerberos - breaking all our
> kerberos-only experiments).
> We thought that IIS would be the best choice for integrated windows
> authentication and we could pass the user via AJP (using mod_jk) to our
> tomcat instances.
> Our setup:
> - Windows 2008 R2 using IIS 7.5 (64bit)
> - mod_jk 1.2.31
> - Oracle Java 1.6 U24
> - Tomcat 6.0.32
> At first glance using tomcatAuthentication=false worked as expected. We got
> the remote user and started deploying an application. End of happiness - the
> application complained about a missing user-agent. That header was not
> passed to tomcat when authentication was enabled on IIS.
> Some research revealed Bug 47679 - Not all headers get passed to Tomcat
> server from isapi_redirect.dll
> (
> Today I've found Bug 49318 - add a Negotiate (Kerberos/NTLM) authenticator /
> integrate Waffle (
> The last comment links a new Windows Authentication How-To from Mark Thomas.
> Looks like we have already tried almost all proposed solutions:
> - IIS + mod_jk:
>  tried but stuck in Bug 47679. Also tried ARR to pass the user name
>  as a request header from IIS to Tomcat without success
> - Apache mod_ntlm: used it and we replaced it by the much more stable
>  mod_auth_ntlm_winbind. NTLMv1 is also disabled on Windows 7 (default)
> - Apache mod_auth_ntlm: in heavy use but stuck to Apache 2.0 and 32bit
>  plattform - we couldn't get stability problems solved on Apache 2.2
>  and 64bit Linux. No ongoing development.
> - Apache mod_auth_sspi: till now in internal use for a very small
>  project (works just fine), not sure about the future. Although
>  there seems to be some new activity on 1.0.5 beta
> - Waffle: found it on thursday and it is on my our todo-list for
>  testing it next week
> Any chances to get Bug 47679 solved? How can we help (we are admins, no
> devs)?
> What solutions have you deployed? Recommendations?
> Thank you,
>        Stefan Mayr
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Because YES!

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message