tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From C├ędric Couralet <>
Subject Re: IWA username using JSP for Already authenticated Window system
Date Tue, 26 Mar 2013 05:20:05 GMT
>> One thing to watch for is that the client must use Kerberos and not
>> NTLM (it's a guess but it seems logical) .
> Sorry to burst in, but can you elaborate on that ?
> Why does it seem logical ?  To my own (admittedly limited) knowledge,
> Kerberos is not the most widely implemented solution in Windows networks,
> NTLMv2 is.  Does the SPNEGO implementation in Tomcat not work with NTLMv2
> then ?
Only on a linux box.
In my mind, NTLM being a Microsoft protocol, the chance of it working
on a linux box was small.

That is what I observed. When the tomcat on my linux was configured
with the SPNEGO valve, at first my browser was talking NTLM
(apparently, you can see that when the first reponse to the negotiate
challenge begins with NTRLM...), and I got an error in tomcat log
saying can't validate client ticket.

Once i declared the box in the active directory dns, my browser
stopped using NTLM for Kerberos and everything works as expected.

It should be apparent I'm really not an expert on that, so all that is
just some guesses. I'm still studying all that.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message