tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tim Whittington <t...@apache.org>
Subject Re: Windows Authentication: Issue 49318 vs 47679
Date Mon, 11 Apr 2011 09:43:29 GMT
On Mon, Mar 28, 2011 at 7:26 AM, Stefan Mayr <stefan@mayr-stefan.de> wrote:
> Hello everybody,
>
> as many others before we wanted to do single-sign-on for intranet web
> applications using integrated windows authentication (negotiate because IE
> sometimes tries NTLM instead of using plain kerberos - breaking all our
> kerberos-only experiments).
>
> We thought that IIS would be the best choice for integrated windows
> authentication and we could pass the user via AJP (using mod_jk) to our
> tomcat instances.
>
> Our setup:
> - Windows 2008 R2 using IIS 7.5 (64bit)
> - mod_jk 1.2.31
> - Oracle Java 1.6 U24
> - Tomcat 6.0.32
>
> At first glance using tomcatAuthentication=false worked as expected. We got
> the remote user and started deploying an application. End of happiness - the
> application complained about a missing user-agent. That header was not
> passed to tomcat when authentication was enabled on IIS.
>
> Some research revealed Bug 47679 - Not all headers get passed to Tomcat
> server from isapi_redirect.dll
> (https://issues.apache.org/bugzilla/show_bug.cgi?id=47679)
>
> Today I've found Bug 49318 - add a Negotiate (Kerberos/NTLM) authenticator /
> integrate Waffle (https://issues.apache.org/bugzilla/show_bug.cgi?id=49318).
> The last comment links a new Windows Authentication How-To from Mark Thomas.
> Looks like we have already tried almost all proposed solutions:
>
> - IIS + mod_jk:
>  tried but stuck in Bug 47679. Also tried ARR to pass the user name
>  as a request header from IIS to Tomcat without success
> - Apache mod_ntlm: used it and we replaced it by the much more stable
>  mod_auth_ntlm_winbind. NTLMv1 is also disabled on Windows 7 (default)
> - Apache mod_auth_ntlm: in heavy use but stuck to Apache 2.0 and 32bit
>  plattform - we couldn't get stability problems solved on Apache 2.2
>  and 64bit Linux. No ongoing development.
> - Apache mod_auth_sspi: till now in internal use for a very small
>  project (works just fine), not sure about the future. Although
>  there seems to be some new activity on 1.0.5 beta
> - Waffle: found it on thursday and it is on my our todo-list for
>  testing it next week
>
> Any chances to get Bug 47679 solved? How can we help (we are admins, no
> devs)?
> What solutions have you deployed? Recommendations?

I've committed a fix for Bug 47679, which I hope will resolve the
issues people have been having using the ISAPI redirector in an
extension only mode.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message