tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mead, Jen L" <Mead....@con-way.com>
Subject looking for help with getting tomcat 7 to authenticate aginst windows domain controller from aix 6.1 and 5.3
Date Mon, 04 Jun 2012 18:42:38 GMT
Hi,

I am brand new to tomcat 7 and am hoping to get realms set-up for users to use my CGI scripts
using their windows password.  So far I have put a request into the windows group to create
a user for this verification.  I followed the example in the tomcat manual as follows:

 *   Create a domain user that will be mapped to the service name used by the Tomcat server.
In this how-to, this user is called tc01 and has a password of tc01pass.
 *   Map the service principal name (SPN) to the user account. SPNs take the form <service
class>/<host>:<port>/<service name>. The SPN used in this how-to is HTTP/win-tc01.dev.local.
To map the user to the SPN, run the following:








setspn -A HTTP/win-tc01.dev.local tc01










 *   Generate the keytab file that the Tomcat server will use to authenticate itself to the
domain controller. This file contains the Tomcat private key for the service provider account
and should be protected accordingly. To generate the file, run the following command (all
on a single line):








ktpass /out c:\tomcat.keytab /mapuser tc01@DEV.LOCAL
          /princ HTTP/win-tc01.dev.local@DEV.LOCAL
          /pass tc01pass /kvno 0










 *   Create a domain user to be used on the client. In this how-to the domain user is test
with a password of testpass.
I then went into the next section and started to do some configuration on the tomcat server,
which right now is a prototype and is an AIX box running 5300-12-04-1119.

My question is: does the box need to be configured for Kerberos?  If so how does the Kerberos
authentication work with tomcat?  The above code sent to the windows group creates a tomcat
user, should there also be a Kerberos user?  How would they work together?  Or do they need
to?  Should they be the same user?  The documentation does not address this situation in any
way at all except to specify that Kerberos is required on the unix box, it doesn't address
AIX specifically ever.

I work at a place where the admin team is half way around the world.  So each and every request
and test is painstakingly long and obscure for the most part.  So any and all information
I come armed with is the only way to fly.  Has anyone succeeded with this on unix or better
yet AIX?  Any and all information is greatly appreciated.

Regards,
Jen in Oregon



Regards,
Jen


Mime
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message