tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcel Stör <>
Subject Re: Tomcat connector for IIS, are user groups passed along?
Date Thu, 13 Oct 2011 06:43:20 GMT
On 13.10.2011 00:14, chris derham wrote:
>> - it would probably require serious coding changes to do it (notably
>> because in the AJP protocol, there is no attribute or packet type foreseen
>> to pass such information per se)
>> - and there are some conceptual issues linked to this, essentially because
>> the very notion  of AD/NTLM "user groups" is something valid only in an
>> MS-centric context (and Tomcat has to work in other contexts).
> Kerberos is cross platform standard, allowing for groups to be embedded in
> the token. Nothing windows specific about that. I've definitely had windows
> primary domain controller and clients running on Windows talking to a tomcat
> running on Linux, and allowing access to the group info in the kerberos
> tokens

How did you configure this? Was Tomcat responsible for the Kerberos 
authentication against the Windows Active Directory?

>> For another option, in Tomcat 7.x there is also a new SPNEGO authentication
>> mechanism available, described here :
> SPNEGO is Simple Protocol for Negotiating Authentication (or something like
> that). It basically causes a Kerberos token to be added via a http header
> called  authentication. I don't know anything about the ISAPI connector, but
> if it could pass through the authentication header with the kerberos token,
> then tomcat side you can decode the kerberos token and access the users
> groups. So that should work, and should work at no cost - well you'll need
> to spend some time configuring it and getting accounts setup, but should be
> easy enough.

Do you happen to have instructions for this?


Marcel Stör,
O< ascii ribbon campaign - stop html mail -

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message