tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Delle Grazie <>
Subject Re: very basic question about apache and tomcat
Date Thu, 20 Sep 2012 22:19:15 GMT
On 20 September 2012 17:20, Mark Thomas <> wrote:
> "Mead, Jen L" <> wrote:
>>Hi Chris,
>>I met you at a PERL conference years and years ago along with a bunch
>>of other people you met.  Anyways.  Exactly what I am trying to do is
>>allow folks to use their web browser (I would like to stick with tomcat
>>7.0.27 on aix 6.1) from their windows workstation and authenticate
>>against the windows domain.  I am hoping this can be accomplished
>>without creating unix accounts.  The permissions for it, page access or
>>run the tool would reside in the tomcat configuration side, but all
>>authentification would be from the windows side.  If you can tell me
>>how to do that I would be pretty happy.  I cannot find documentation on
>>how to do it
> Did you find this?
> I haven't tested this when Tomcat is on a non-Windows platform. It is
> certainly possible for this to work although whether any other pieces
> (such as samba) are required and what their configuration might be I
> don't know. OTOH, it might just work.

Samba is one way, in that context the AIX box becomes a member of the
Windows AD.
If that isn't possible:
Another alternative is bi or uni-directional cross-realm trusts.
That's where there is a Unix Kerberos realm and the Windows AD realm
and there is a trust
either between each realm or in one direction only. Cross-realm keys
are quite easy to create
in the more recent versions of Windows Server (2008+)

In this situation, the authentication trust could be configured only
one way (i.e. Windows AD users
are trusted for authentication purposes to the AIX Tomcat service).

I'm a bit fuzzy on the details since I last looked at this several
years ago. From what I remember
the following is needed:
(a) cross-realm keys in one or both directions (i.e. resulting in one
or two sets of keys)
- getting this right on the Windows side was quite difficult due to
different encryption standards
in use, different 'versions' of keys etc. modern versions of Windows
Server do make this easier.
(b) a key on the AIX box representing the service (Tomcat) but in this
case the service key is for
the local Unix Kerberos realm, not the Windows AD realm
(c) A browser that permits Kerberos based authentication (e.g.
Firefox, or IE with the site
added to the trusted sites area).
(d) Patience, luck and lots of log perusal.

I've used this in a managed service environment but its complicated
and error prone to configure.

> I'll add looking at this to my to do list but it is a long list...
> Mark
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message